Advisories

CVE-2020-8498

< Back to advisories

CVE ID – CVE-2020-8498

CVSS SCORE – 5.8 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)

AFFECTED VENDORS – GistPress

AFFECTED PRODUCTS – GistPress WordPress Plugin

VULNERABILITY DETAILS – XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users (e.g., ones who have the publish_posts capability).

ADDITIONAL DETAILS – The vendor triaged the vulnerability with the explicit fix listed here:
https://github.com/bradyvercher/gistpress/commit/e3f260edb6673227b0471c74b7ab13c094411ef7

Gistpress was then updated to version 3.0.2 which addresses the vulnerabilty as per this release:
https://github.com/bradyvercher/gistpress/releases/tag/v3.0.2

ADVICE – Pentest recommend updating GistPress to 3.0.2 to address the vulnerability. This plugin is not available from wordpress.org meaning that the update process requires manually downloading the most recent release and configuring it.

DISCLOSURE TIMELINE:
16/01/2020 Disclosure to vendor
16/01/2020 Vendor acknowledged vulnerability
16/01/2020 Fix released

CREDIT – Paul Ritchie, Sam Thomas 

Read the indepth research on CVE-2020-8498 >

The latest research and insights from Pentest

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the information security confidence you need.

Contact us today >
Pentest - CREST Accreditation
Pentest ISO 9001 Accreditation
Pentest ISO 27001 Accreditation
Pentest - Cyber Essentials Plus Accreditation
Pentest - OSCP Accreditation

/contact Us

/connect

Twitter Linkedin-in Github Youtube

/services

/about

/links

Pentest Limited is registered in England and Wales with company number 11925182

Registered address: 22 Great James Street, London, WC1N 3ES

VAT registration No: 331802826​

© 2019 - Present. Pentest Limited. All rights reserved.