Published:2019/10/11 Last Updated:2019/10/16
JVN#14776551
Multiple vulnerabilities in WordPress Plugin "wpDataTables Lite"
Overview
WordPress Plugin "wpDataTables Lite" contains multiple vulnerabilities.
Products Affected
- wpDataTables Lite Version 2.0.11 and earlier
Description
WordPress Plugin "wpDataTables Lite" provided by TMS-Plugins contains multiple vulnerabilities listed below.
- Cross-site Scripting (CWE-79) - CVE-2019-6011
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1 CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6 - SQL Injection (CWE-89) - CVE-2019-6012
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 7.2 CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5
Impact
- An arbitrary script may be executed on the logged in user's web browser - CVE-2019-6011
- A user with an administrative privilege may execute an arbitrary SQL command - CVE-2019-6012
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| TMS-Plugins | wpDataTables – Tables & Table Charts |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-6011 |
|
CVE-2019-6012 |
|
| JVN iPedia |
JVNDB-2019-000064 |
Update History
- 2019/10/16
- Information under the section [Products Affected] was modified.