CVE-2019-20360
Last modified
CVE-2019-20360 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the wp_usermeta table, and the token is set to the corresponding MD5 hash of the meta key selected, one can make a request to the restricted endpoints, and thus access sensitive donor data.. EPSS estimates a 2.46% chance of exploitation in the next 30 days.
Description
A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the wp_usermeta table, and the token is set to the corresponding MD5 hash of the meta key selected, one can make a request to the restricted endpoints, and thus access sensitive donor data.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Givewp | Givewp | < 2.5.5 |
References
- https://wpvulndb.com/vulnerabilities/9889Third Party Advisory
- https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-givewp-plugin/Exploit, Third Party Advisory
- https://wpvulndb.com/vulnerabilities/9889Third Party Advisory
- https://www.wordfence.com/blog/2019/09/authentication-bypass-vulnerability-in-givewp-plugin/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-20360?
How severe is CVE-2019-20360?
How do I fix CVE-2019-20360?
Are you affected by CVE-2019-20360?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST