vendor:
Wordpress
by:
Todor Donev
6.1
CVSS
MEDIUM
Cross Site Host Modification
20
CWE
Product Name: Wordpress
Affected Version From: 5.2.3
Affected Version To: 5.2.3
Patch Exists: YES
Related CWE: CVE-2019-9669
CPE: a:wordpress:wordpress:5.2.3
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Linux, Windows, Mac
2019
WordPress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
This attack can bypass Simple WAF to access restricted content on the web server, something like phpMyAdmin; This attack can deface the vulnerable Wordpress website with content from the default vhost;
Mitigation:
Set security headers to web server and no-cache for Cache-Control
