Vulnerability Details : CVE-2014-5196
Cross-site request forgery (CSRF) vulnerability in improved-user-search-in-backend.php in the backend in the Improved user search in backend plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that insert XSS sequences via the iusib_meta_fields parameter.
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Exploit prediction scoring system (EPSS) score for CVE-2014-5196
Probability of exploitation activity in the next 30 days: 0.22%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 60 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-5196
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2014-5196
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5196
-
http://wordpress.org/plugins/improved-user-search-in-backend/changelog
Improved user search in backend – WordPress plugin | WordPress.orgPatch;Vendor Advisory
-
https://security.dxw.com/advisories/csrf-and-xss-in-improved-user-search-allow-execution-of-arbitrary-javascript-in-wordpress-admin-area/
CSRF and XSS in Improved user search allow execution of arbitrary javascript in WordPress admin area – dxw advisoriesExploit
Products affected by CVE-2014-5196
- Improved User Search In Backend Project » Improved User Search In Backend » For WordpressVersions up to, including, (<=) 1.2.4cpe:2.3:a:improved_user_search_in_backend_project:improved_user_search_in_backend:*:-:-:*:-:wordpress:*:*