CVE-2013-5977: XSS
First published: Fri Nov 01 2013(Updated: )
Cross-site request forgery (CSRF) vulnerability in Cart66Product.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote attackers to hijack the authentication of administrators for requests that (1) create or modify products or conduct cross-site scripting (XSS) attacks via the (2) Product name or (3) Price description field in a product save action via a request to wp-admin/admin.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cart66 Lite | <=1.5.1.14 | |
| Cart66 Lite | =1.0.7 | |
| Cart66 Lite | =1.0.8 | |
| Cart66 Lite | =1.1 | |
| Cart66 Lite | =1.1.1 | |
| Cart66 Lite | =1.1.2 | |
| Cart66 Lite | =1.1.3 | |
| Cart66 Lite | =1.1.4 | |
| Cart66 Lite | =1.1.5 | |
| Cart66 Lite | =1.1.6 | |
| Cart66 Lite | =1.3.0 | |
| Cart66 Lite | =1.4.0 | |
| Cart66 Lite | =1.4.1 | |
| Cart66 Lite | =1.4.2 | |
| Cart66 Lite | =1.4.4 | |
| Cart66 Lite | =1.4.7 | |
| Cart66 Lite | =1.4.8 | |
| Cart66 Lite | =1.4.9 | |
| Cart66 Lite | =1.5.0 | |
| Cart66 Lite | =1.5.0.1 | |
| Cart66 Lite | =1.5.0.2 | |
| Cart66 Lite | =1.5.1 | |
| Cart66 Lite | =1.5.1.1 | |
| Cart66 Lite | =1.5.1.2 | |
| Cart66 Lite | =1.5.1.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/bugtraq/2013-10/0048.html
- http://blog.noobroot.com/#!/2013/10/0-day-wordpress-cart66-plugin-15114.html
- http://osvdb.org/98352
- http://packetstormsecurity.com/files/123587/WordPress-Cart66-1.5.1.14-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
- http://seclists.org/bugtraq/2013/Oct/52
- http://secunia.com/advisories/55265
- http://wordpress.org/plugins/cart66-lite/changelog/
- http://www.exploit-db.com/exploits/28959
- http://www.securityfocus.com/bid/62975
- https://exchange.xforce.ibmcloud.com/vulnerabilities/87874
- http://blog.noobroot.com/#%21/2013/10/0-day-wordpress-cart66-plugin-15114.html
Frequently Asked Questions
What is the severity of CVE-2013-5977?
The severity of CVE-2013-5977 is classified as medium due to its potential to allow remote attackers to hijack administrator sessions.
How do I fix CVE-2013-5977?
To fix CVE-2013-5977, update the Cart66 Lite plugin to version 1.5.1.15 or higher.
What versions of the Cart66 Lite plugin are affected by CVE-2013-5977?
CVE-2013-5977 affects all versions of the Cart66 Lite plugin before 1.5.1.15.
What type of vulnerability is CVE-2013-5977?
CVE-2013-5977 is a cross-site request forgery (CSRF) vulnerability.
What could an attacker achieve by exploiting CVE-2013-5977?
By exploiting CVE-2013-5977, an attacker could create or modify products and even potentially perform cross-site scripting attacks.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/severity
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/softwarecombine
- vendor/cart66
- canonical/cart66 lite
- version/cart66 lite/1.5.1.14
- version/cart66 lite/1.0.7
- version/cart66 lite/1.0.8
- version/cart66 lite/1.1
- version/cart66 lite/1.1.1
- version/cart66 lite/1.1.2
- version/cart66 lite/1.1.3
- version/cart66 lite/1.1.4
- version/cart66 lite/1.1.5
- version/cart66 lite/1.1.6
- version/cart66 lite/1.3.0
- version/cart66 lite/1.4.0
- version/cart66 lite/1.4.1
- version/cart66 lite/1.4.2
- version/cart66 lite/1.4.4
- version/cart66 lite/1.4.7
- version/cart66 lite/1.4.8
- version/cart66 lite/1.4.9
- version/cart66 lite/1.5.0
- version/cart66 lite/1.5.0.1
- version/cart66 lite/1.5.0.2
- version/cart66 lite/1.5.1
- version/cart66 lite/1.5.1.1
- version/cart66 lite/1.5.1.2
- version/cart66 lite/1.5.1.8