CVE-2018-16257: XSS
First published: Fri Apr 12 2019(Updated: )
** DISPUTED ** There are multiple XSS vulnerabilities in WP All Import plugin 3.4.9 for WordPress via action=template. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Soflyy Wp All Import | =3.4.9 | |
| =3.4.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2018-16257.
What is the severity of CVE-2018-16257?
The severity of CVE-2018-16257 is medium.
What is the affected software?
The affected software is WP All Import plugin version 3.4.9 for WordPress.
How can the vulnerability be exploited?
The vulnerability can be exploited via the action=template in the WP All Import plugin version 3.4.9 for WordPress.
Are there any fixes or mitigations available for CVE-2018-16257?
The vendor disputed the vulnerability, but it is recommended to update WP All Import plugin to the latest version to mitigate the risk.
- collector/nvd-index
- agent/references
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/status
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- status/disputed
- vendor/soflyy
- canonical/soflyy wp all import
- version/soflyy wp all import/3.4.9