Published:2019/10/11  Last Updated:2019/10/16

JVN#14776551
Multiple vulnerabilities in WordPress Plugin "wpDataTables Lite"

Overview

WordPress Plugin "wpDataTables Lite" contains multiple vulnerabilities.

Products Affected

  • wpDataTables Lite Version 2.0.11 and earlier

Description

WordPress Plugin "wpDataTables Lite" provided by TMS-Plugins contains multiple vulnerabilities listed below.

  • Cross-site Scripting (CWE-79) - CVE-2019-6011
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6
  • SQL Injection (CWE-89) - CVE-2019-6012
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 7.2
    CVSS v2 AV:N/AC:L/Au:S/C:P/I:P/A:P Base Score: 6.5

Impact

  • An arbitrary script may be executed on the logged in user's web browser - CVE-2019-6011
  • A user with an administrative privilege may execute an arbitrary SQL command - CVE-2019-6012

Solution

Update the plugin
Update the plugin according to the information provided by the developer.

Vendor Status

Vendor Link
TMS-Plugins wpDataTables – Tables & Table Charts

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Gen Sato of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-6011
CVE-2019-6012
JVN iPedia JVNDB-2019-000064

Update History

2019/10/16
Information under the section [Products Affected] was modified.