CVE-2019-16931
Summary
| CVE | CVE-2019-16931 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-10-03 19:15:00 UTC |
| Updated | 2019-10-09 19:50:00 UTC |
| Description | A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPress allows an unauthenticated attacker to execute arbitrary JavaScript when an admin or other privileged user edits the chart via the admin dashboard. This occurs because classes/Visualizer/Gutenberg/Block.php registers wp-json/visualizer/v1/update-chart with no access control, and classes/Visualizer/Render/Page/Data.php lacks output sanitization. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Themeisle | Visualizer | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress › Visualizer « WordPress Plugins | MISC | wordpress.org | Product, Release Notes |
| Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS) | MISC | wpvulndb.com | Exploit, Third Party Advisory |
| Wordpress Visualizer plugin XSS and SSRF - Nathan Davison | MISC | nathandavison.com | Exploit, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.