Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or the itemid parameter in the (3) wonderplugin_audio_show_item or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Magic Hills
  • Wonderplugin Audio Player

Configuration 1 [-]

cpe:2.3:a:magic_hills:wonderplugin_audio_player:*:*:*:*:*:wordpress:*:*

No data.

References
Link Providers
http://osvdb.org/show/osvdb/118510 cve-icon cve-icon
http://osvdb.org/show/osvdb/118511 cve-icon cve-icon
http://security.szurek.pl/wonderplugin-audio-player-20-blind-sql-injection-and-xss.html cve-icon cve-icon
http://www.exploit-db.com/exploits/36086 cve-icon cve-icon
http://www.securityfocus.com/bid/74851 cve-icon cve-icon
http://www.wonderplugin.com/wordpress-audio-player/ cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-03-05T16:00:00

Updated: 2024-08-06T05:10:15.596Z

Reserved: 2015-03-05T00:00:00

Link: CVE-2015-2218

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2015-03-05T16:59:01.163

Modified: 2016-12-03T03:04:25.553

Link: CVE-2015-2218

cve-icon Redhat

No data.