Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-2293

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2015-2293
Last Modified 18 Mar 2015 12:13:37
Published 17 Mar 2015 11:59:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2015-2293

Summary

Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page.

Vulnerable Systems

Application

  • Yoast Wordpress Seo 1.5.6

  • Yoast Wordpress Seo 1.6.0

  • Yoast Wordpress Seo 1.6.1

  • Yoast Wordpress Seo 1.6.2

  • Yoast Wordpress Seo 1.6.3

  • Yoast Wordpress Seo 1.7.1

  • Yoast Wordpress Seo 1.7.2

  • Yoast Wordpress Seo 1.7.3

  • Yoast Wordpress Seo 1.7.3.1

  • Yoast Wordpress Seo 1.7.3.2

  • Yoast Wordpress Seo 1.7.3.3


References

CONFIRM - https://yoast.com/wordpress-seo-security-release/

MISC - https://wpvulndb.com/vulnerabilities/7841

CONFIRM - https://wordpress.org/plugins/wordpress-seo/changelog/

SECTRACK - 1031920

FULLDISC - 20150312 WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection

MISC - http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html


Last Updated: 27 May 2016 11:08:08