CVE-2016-20083
MEDIUM Exploitation: PoC
5.3
CVSS 3.1
Description
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint.
Metadata
Severity & Metrics
5.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| henrikmelin | More Fields | — | 2.1 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-352 | cna | Cross-Site Request Forgery (CSRF) |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.9 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L |
| 5.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (3)
- ExploitDB-39507 https://www.exploit-db.com/exploits/39507
- Product Reference https://wordpress.org/support/plugin/more-fields
- VulnCheck Advisory: WordPress More Fields Plugin 2.1 Cross-Site Request Forgery https://www.vulncheck.com/advisories/wordpress-more-fields-plugin-cross-site-request-forgery