CVE-2018-16255 - OpenCVE

There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Soflyy	Wp All Import

Configuration 1 [-]

cpe:2.3:a:soflyy:wp_all_import:3.4.9:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html
https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-12T17:59:02

Updated: 2024-08-05T10:17:38.352Z

Reserved: 2018-08-31T00:00:00

Link: CVE-2018-16255

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-12T18:29:00.490

Modified: 2024-08-05T11:15:26.627

Link: CVE-2018-16255

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-08-21T00:00:00", "descriptions": [{"lang": "en", "value": "There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-29T17:05:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing"}, {"tags": ["x_refsource_MISC"], "url": "https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-16255", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing", "refsource": "MISC", "url": "https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing"}, {"name": "https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html", "refsource": "MISC", "url": "https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:17:38.352Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-16255", "datePublished": "2019-04-12T17:59:02", "dateReserved": "2018-08-31T00:00:00", "dateUpdated": "2024-08-05T10:17:38.352Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:soflyy:wp_all_import:3.4.9:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A3BC47D4-9880-4B3A-9A44-44CAAEF09622", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via action=evaluate. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator"}, {"lang": "es", "value": "** EN DISPUTA ** Hay una vulnerabilidad de tipo XSS en el plugin WP All Import para WordPress, versi\u00f3n 3.4.9, a trav\u00e9s de action=evaluate.NOTA: El proveedor declara que esto no es una vulnerabilidad. WP All Import solo puede ser utilizado por un administrador que ha iniciado sesi\u00f3n, y la acci\u00f3n descrita solo puede ser aprovechada por un administrador que ha iniciado sesi\u00f3n."}], "id": "CVE-2018-16255", "lastModified": "2024-08-05T11:15:26.627", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-12T18:29:00.490", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html"}, {"source": "cve@mitre.org", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}