// For flags

CVE-2014-9524

Easy Social Like Box – Popup – Sidebar Widget < 2.8.3 - Cross-Site Scripting

Severity Score

7.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple cross-site request forgery (CSRF) vulnerabilities in the Facebook Like Box (cardoza-facebook-like-box) plugin before 2.8.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, or (6) frm_height parameter in the slug_for_fb_like_box page to wp-admin/admin.php.

Múltiples vulnerabilidades de CSRF en el plugin Facebook Like Box (cardoza-facebook-like-box) anterior a 2.8.3 para WordPress permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) cambian las configuraciones de plugins a través de vectores no especificados o realizan ataques de XSS a través del parámetro (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, o (6) frm_height en la página slug_for_fb_like_box en wp-admin/admin.php.

*Credits: Kenneth Jepsen,Mikkel Vej,Morten Nortoft
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-12-12 CVE Published
  • 2015-01-05 CVE Reserved
  • 2024-09-17 CVE Updated
  • 2024-09-17 EPSS Updated
  • 2024-09-17 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Facebook Like Box Project
Search vendor "Facebook Like Box Project"
Facebook Like Box
Search vendor "Facebook Like Box Project" for product "Facebook Like Box"
<= 2.8.2
Search vendor "Facebook Like Box Project" for product "Facebook Like Box" and version " <= 2.8.2"
wordpress
Affected