Main Vulnerability Database Vulnerabilities #VU19242

Cross-site request forgery in Custom Body Class - CVE-2019-6030

Published: July 18, 2019 / Updated: December 16, 2019

Vulnerability identifier: #VU19242

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-6030

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Andrei Lupu

Affected software:
Custom Body Class

Detailed vulnerability description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to the lack of CSRF check and sanitisation when updating the plugin's settings. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

This vulnerability leads to unauthorized settings update and stored XSS issues.

How to mitigate CVE-2019-6030

Install updates from vendor's website.

Sources

https://plugins.trac.wordpress.org/changeset/2118841

Cross-site request forgery in Custom Body Class - CVE-2019-6030

Detailed vulnerability description

How to mitigate CVE-2019-6030

Sources

Please verify you're human