Published: 06/02/2020 Updated: 07/02/2020

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

The BestWebSoft Htaccess plugin up to and including 1.8.1 for WordPress allows wp-admin/admin.php?page=htaccess.php&action=htaccess_editor CSRF. The flag htccss_nonce_name passes the nonce to WordPress but the plugin does not validate it correctly, resulting in a wrong implementation of anti-CSRF protection. In this way, an attacker is able to direct the victim to a malicious web page that modifies the .htaccess file, and takes control of the website.

Vulnerable Product	Search on Vulmon	Subscribe to Product
bestwebsoft htaccess

This PoC will be describe how to exploit CRSF vulnerability in WP Htaccess by BestWebSoft Plugin

Exploiting Htaccess by BestWebSoft WordPress Plugin This PoC will be describe how to exploit CSRF vulnerability found in WordPress plugin Htaccess by BestWebSoft I published this CVE-2020-8658 About Cross-Site Request Forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a websit

CWE-352 https://wordpress.org/plugins/htaccess/#developers https://github.com/V1n1v131r4/Exploiting-WP-Htaccess-by-BestWebSoft-Plugin/blob/master/README.md https://wpvulndb.com/vulnerabilities/10060 https://nvd.nist.gov https://github.com/V1n1v131r4/Exploiting-WP-Htaccess-by-BestWebSoft-Plugin

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2020-8658

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect