A Cross-Site-Request-Forgery (CSRF) vulnerability in widget_logic.php in the 2by2host Widget Logic plugin before 5.10.2 for WordPress allows remote attackers to execute PHP code via snippets (that are attached to widgets and then eval'd to dynamically determine their visibility) by crafting a malicious POST request that tricks administrators into adding the code.
References
Link | Resource |
---|---|
https://dannewitz.ninja/posts/widget-logic-csrf-to-rce | Exploit Third Party Advisory |
https://plugins.trac.wordpress.org/changeset/2112753/widget-logic | Third Party Advisory |
https://wpvulndb.com/vulnerabilities/9403 | |
https://wpvulndb.com/vulnerabilities/9413 |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-07-01T17:56:51
Updated: 2019-08-15T10:06:02
Reserved: 2019-06-14T00:00:00
Link: CVE-2019-12826
JSON object: View
NVD Information
Status : Modified
Published: 2019-07-01T18:15:11.740
Modified: 2019-07-31T08:15:11.583
Link: CVE-2019-12826
JSON object: View
Redhat Information
No data.
CWE