// For flags

CVE-2015-10125

WP Ultimate CSV Importer Plugin cross-site request forgery

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

A vulnerability classified as problematic has been found in WP Ultimate CSV Importer Plugin 3.7.2 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 13c30af721d3f989caac72dd0f56cf0dc40fad7e. It is recommended to upgrade the affected component. The identifier VDB-241317 was assigned to this vulnerability.

Una vulnerabilidad ha sido encontrada en WP Ultimate CSV Importer Plugin 3.7.2 en WordPress y clasificada como problemática. Esto afecta a una parte desconocida. La manipulación conduce a cross-site request forgery. Es posible iniciar el ataque de forma remota. La actualización a la versión 3.7.3 puede solucionar este problema. El identificador del parche es 13c30af721d3f989caac72dd0f56cf0dc40fad7e. Se recomienda actualizar el componente afectado. A esta vulnerabilidad se le asignó el identificador VDB-241317.

Es wurde eine Schwachstelle in WP Ultimate CSV Importer Plugin 3.7.2 für WordPress entdeckt. Sie wurde als problematisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion. Durch Beeinflussen mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Ein Aktualisieren auf die Version 3.7.3 vermag dieses Problem zu lösen. Der Patch wird als 13c30af721d3f989caac72dd0f56cf0dc40fad7e bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

The Import CSV or XML Datafeed With Ease plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.7.2. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

*Credits: VulDB GitHub Commit Analyzer
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2015-05-05 CVE Published
  • 2023-10-04 CVE Reserved
  • 2024-08-06 CVE Updated
  • 2024-10-11 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Smackcoders
Search vendor "Smackcoders"
 Import All Pages\, Post Types\, Products\, Orders\, And Users As Xml \& Csv
Search vendor "Smackcoders" for product "Import All Pages\, Post Types\, Products\, Orders\, And Users As Xml \& Csv"
 < 3.7.3
Search vendor "Smackcoders" for product "Import All Pages\, Post Types\, Products\, Orders\, And Users As Xml \& Csv" and version " < 3.7.3"
wordpress
Affected