A vulnerability was found in Blog2Social Plugin up to 5.0.2 on WordPress (WordPress Plugin). It has been classified as problematic. Affected is an unknown functionality of the file wp-admin/admin.php?page=blog2social-ship. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. CVE summarizes:

The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admin.php?page=blog2social-ship XSS.

The bug was discovered 10/25/2018. The weakness was published 02/05/2019 (Website). The advisory is available at security-consulting.icu. This vulnerability is traded as CVE-2019-9576 since 03/05/2019. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Successful exploitation requires user interaction by the victim. Technical details and a public exploit are known. This vulnerability is assigned to T1059.007 by the MITRE ATT&CK project.

After immediately, there has been an exploit disclosed. The exploit is shared for download at security-consulting.icu. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 103 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 5.0.3 eliminates this vulnerability.

Further details are available at seclists.org.

Productinfo

Type

• WordPress Plugin

Name

• Blog2Social Plugin

Version

• 5.0.0
• 5.0.1
• 5.0.2

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion