Vulnerability Details CVE-2019-16332
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.159
EPSS Ranking 94.5%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- https://packetstormsecurity.com/files/154369/WordPress-API-Bearer-Auth-20181229-Cross-Site-Scripting.html
- https://plugins.trac.wordpress.org/changeset/2152730
- https://wordpress.org/plugins/api-bearer-auth/#developers
- https://wpvulndb.com/vulnerabilities/9868
- https://packetstormsecurity.com/files/154369/WordPress-API-Bearer-Auth-20181229-Cross-Site-Scripting.html
- https://plugins.trac.wordpress.org/changeset/2152730
- https://wordpress.org/plugins/api-bearer-auth/#developers
- https://wpvulndb.com/vulnerabilities/9868
Products affected by CVE-2019-16332
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:-
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:2017-11-30
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:2017-12-08
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:2018-12-23
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:2018-12-25
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:2018-12-26
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:2018-12-28
-
cpe:2.3:a:api_bearer_auth_project:api_bearer_auth:2018-12-29