Sign-up

ID

VAR-201502-0264


CVE

CVE-2015-1879


TITLE

WordPress for Google Doc Embedder Plug-in vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-001568

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Google Doc Embedder plugin before 2.5.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the profile parameter in an edit action in the gde-settings page to wp-admin/options-general.php. The Google Doc Embedder plugin for WordPress is prone to an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Google Doc Embedder Plugin 2.5.18 is vulnerable; other versions may also be affected. WordPress is a set of blogging platform developed by WordPress Software Foundation using PHP language, which supports setting up personal blogging websites on PHP and MySQL servers. Google Doc Embedder is one of the plugins that can embed MS Office, PDF and other file systems into web pages. The vulnerability stems from the fact that the wp-admin/options-general.php script does not sufficiently filter the 'profile' parameter in the gde-settings page

Trust: 1.98

sources: NVD: CVE-2015-1879 // JVNDB: JVNDB-2015-001568 // BID: 72547 // VULHUB: VHN-79840

AFFECTED PRODUCTS

vendor:google doc embeddermodel:google doc embedderscope:eqversion:2.5.18

Trust: 1.6

vendor:danlestermodel:google doc embedderscope:ltversion:2.5.19

Trust: 0.8

vendor:wordpressmodel:google doc embedderscope:eqversion:2.5.18

Trust: 0.3

vendor:wordpressmodel:google doc embedderscope:neversion:2.5.19

Trust: 0.3

sources: BID: 72547 // JVNDB: JVNDB-2015-001568 // CNNVD: CNNVD-201502-298 // NVD: CVE-2015-1879

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-1879
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-1879
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201502-298
value: MEDIUM

Trust: 0.6

VULHUB: VHN-79840
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-1879
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-79840
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-79840 // JVNDB: JVNDB-2015-001568 // CNNVD: CNNVD-201502-298 // NVD: CVE-2015-1879

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-79840 // JVNDB: JVNDB-2015-001568 // NVD: CVE-2015-1879

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-298

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201502-298

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001568

PATCH
title:Google Doc Embedderurl:https://wordpress.org/plugins/google-document-embedder/changelog/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001568

EXTERNAL IDS
db:NVDid:CVE-2015-1879
Trust: 2.8
db:PACKETSTORMid:130309
Trust: 2.5
db:BIDid:72547
Trust: 2.0
db:JVNDBid:JVNDB-2015-001568
Trust: 0.8
db:CNNVDid:CNNVD-201502-298
Trust: 0.7
db:VULHUBid:VHN-79840
Trust: 0.1
sources:
            
            
            VULHUB: VHN-79840 // 
            
            
            
            BID: 72547 // 
            
            
            
            JVNDB: JVNDB-2015-001568 // 
            
            
            
            CNNVD: CNNVD-201502-298 // 
            
            
            
            NVD: CVE-2015-1879

REFERENCES
url:http://packetstormsecurity.com/files/130309/wordpress-google-doc-embedder-2.5.18-cross-site-scripting.html
Trust: 2.5
url:http://www.securityfocus.com/bid/72547
Trust: 1.7
url:https://wordpress.org/plugins/google-document-embedder/changelog/
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1879
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1879
Trust: 0.8
url:https://wordpress.org/plugins/google-document-embedder/changelog/ 
Trust: 0.3
url:https://wordpress.org/plugins/google-document-embedder/
Trust: 0.3
url:http://wordpress.org/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-79840 // 
            
            
            
            BID: 72547 // 
            
            
            
            JVNDB: JVNDB-2015-001568 // 
            
            
            
            CNNVD: CNNVD-201502-298 // 
            
            
            
            NVD: CVE-2015-1879

CREDITS
Morten N?rtoft, Kenneth Jepsen, and Mikkel Vej
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201502-298

SOURCES
db:VULHUBid:VHN-79840
db:BIDid:72547
db:JVNDBid:JVNDB-2015-001568
db:CNNVDid:CNNVD-201502-298
db:NVDid:CVE-2015-1879

LAST UPDATE DATE
2025-04-13T23:26:47.111000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-79840date:2015-02-20T00:00:00
db:BIDid:72547date:2015-04-13T21:01:00
db:JVNDBid:JVNDB-2015-001568date:2015-02-24T00:00:00
db:CNNVDid:CNNVD-201502-298date:2015-02-26T00:00:00
db:NVDid:CVE-2015-1879date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-79840date:2015-02-19T00:00:00
db:BIDid:72547date:2015-02-09T00:00:00
db:JVNDBid:JVNDB-2015-001568date:2015-02-24T00:00:00
db:CNNVDid:CNNVD-201502-298date:2015-02-13T00:00:00
db:NVDid:CVE-2015-1879date:2015-02-19T15:59:20.440