CVE-2015-2293
Summary
| CVE | CVE-2015-2293 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-03-17 15:59:00 UTC |
| Updated | 2015-03-18 16:13:00 UTC |
| Description | Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page. |
Risk And Classification
Problem Types: CWE-352
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Yoast | Wordpress Seo | 1.6.0 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.0 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.6.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.1 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.2 | All | All | All |
| Application | Yoast | Wordpress Seo | 1.7.3.3 | All | All | All |
| Application | Yoast | Wordpress Seo | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Yoast WordPress SEO WordPress Plugin Access Control Flaw Lets Remote Users Conduct Cross-Site Request Forgery Attacks - SecurityTracker | SECTRACK | www.securitytracker.com | Exploit |
| WordPress SEO By Yoast 1.7.3.3 SQL Injection ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit |
| WordPress › WordPress SEO by Yoast « WordPress Plugins | CONFIRM | wordpress.org | |
| Full Disclosure: WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection | FULLDISC | seclists.org | Exploit |
| WordPress SEO by Yoast <= 1.7.3.3 - Blind SQL Injection | MISC | wpvulndb.com | |
| WordPress SEO Security release • Yoast | CONFIRM | yoast.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.