CVE-2017-8875
Clean Login <= 1.10.3 - Cross-Site Request Forgery
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL.
CSRF, en el plugin Clean Login en versiones anteriores a la 1.8 para WordPress, permite a los atacantes remotos cambiar la URL de redirección de inicio o cierre de sesión.
The Clean Login for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.3. This is due to missing or incorrect nonce validation on the clean_login_options() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Note this vulnerability was not patched in version 1.8 as stated in the CVE record.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-05-09 CVE Reserved
- 2017-05-10 CVE Published
- 2023-03-20 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| http://seclists.org/fulldisclosure/2017/May/23 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wordpress.org/plugins/clean-login/#developers | 2017-05-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Codection Search vendor "Codection" | Clean Login Search vendor "Codection" for product "Clean Login" | 1.7.12 Search vendor "Codection" for product "Clean Login" and version "1.7.12" | wordpress |
Affected
| ||||||