// For flags

CVE-2015-9434

Logo Carousel < 1.7.2 - Stored Cross-Site Scripting

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The kiwi-logo-carousel plugin before 1.7.2 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings tab or tab_flags_order parameter.

El plugin kiwi-logo-carousel versiones anteriores a 1.7.2 para WordPress, presenta una vulnerabilidad de tipo CSRF con un XSS resultante por medio del parámetro tab o tab_flags_order de wp-admin/edit.php?post_type=kwlogos&amp;page=kwlogos_settings.

The Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp-admin/edit.php?post_type=kwlogos&page=kwlogos_settings' tab or tab_flags_order parameters in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers requires contributor or higher role user authentication to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

*Credits: Marcin Probola
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-09-25 CVE Reserved
  • 2019-09-26 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • 2024-09-19 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Kiwi-logo-carousel Project
Search vendor "Kiwi-logo-carousel Project"
 Kiwi-logo-carousel
Search vendor "Kiwi-logo-carousel Project" for product "Kiwi-logo-carousel"
 < 1.7.2
Search vendor "Kiwi-logo-carousel Project" for product "Kiwi-logo-carousel" and version " < 1.7.2"
wordpress
Affected