Details of VAR-201503-0452

ID

VAR-201503-0452

CVE

CVE-2015-0895

TITLE

All In One WP Security & Firewall vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2015-000038

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete logs of 404 (aka Not Found) HTTP status codes. All In One WP Security & Firewall is WordPress plugin that provides security functionality. If a user views a malicious page while logged in, access logs (404 events) maintained by the product may be deleted. An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks. WordPress is a set of blogging platform developed by WordPress Software Foundation using PHP language, which supports setting up personal blogging websites on PHP and MySQL servers

Trust: 1.98

sources: NVD: CVE-2015-0895 // JVNDB: JVNDB-2015-000038 // BID: 74387 // VULHUB: VHN-78841

AFFECTED PRODUCTS

vendor:	tips and tricks hq	model:	all in one wordpress security and firewall	scope:	lte	version:	3.8.9	Trust: 1.0
vendor:	tips and tricks hq	model:	all in one wp security & firewall	scope:	lte	version:	v3.8.9	Trust: 0.8
vendor:	tips and tricks hq	model:	all in one wordpress security and firewall	scope:	eq	version:	3.8.9	Trust: 0.6
vendor:	wordpress	model:	all in one wp security & firewall	scope:	eq	version:	3.8.9	Trust: 0.3
vendor:	wordpress	model:	all in one wp security & firewall	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	wordpress	model:	all in one wp security & firewall	scope:	eq	version:	3.8.2	Trust: 0.3
vendor:	wordpress	model:	all in one wp security & firewall	scope:	eq	version:	3.8	Trust: 0.3
vendor:	wordpress	model:	all in one wp security & firewall	scope:	ne	version:	3.9.0	Trust: 0.3

sources: BID: 74387 // JVNDB: JVNDB-2015-000038 // CNNVD: CNNVD-201503-127 // NVD: CVE-2015-0895

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-0895
value:	MEDIUM
Trust: 1.0
IPA:	JVNDB-2015-000038
value:	LOW
Trust: 0.8
CNNVD:	CNNVD-201503-127
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-78841
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-0895
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IPA:	JVNDB-2015-000038
severity:	LOW
baseScore:	2.6
vectorString:	AV:N/AC:H/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-78841
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-78841 // JVNDB: JVNDB-2015-000038 // CNNVD: CNNVD-201503-127 // NVD: CVE-2015-0895

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-78841 // JVNDB: JVNDB-2015-000038 // NVD: CVE-2015-0895

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-127

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201503-127

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-000038

PATCH

title:

All In One WP Security & Firewall - Changelog

url:

https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/

Trust: 0.8

sources: JVNDB: JVNDB-2015-000038

EXTERNAL IDS

db:	NVD	id:	CVE-2015-0895	Trust: 2.8
db:	JVN	id:	JVN87204433	Trust: 2.8
db:	JVNDB	id:	JVNDB-2015-000038	Trust: 2.5
db:	CNNVD	id:	CNNVD-201503-127	Trust: 0.7
db:	BID	id:	74387	Trust: 0.4
db:	VULHUB	id:	VHN-78841	Trust: 0.1

sources: VULHUB: VHN-78841 // BID: 74387 // JVNDB: JVNDB-2015-000038 // CNNVD: CNNVD-201503-127 // NVD: CVE-2015-0895

REFERENCES

url:	http://jvn.jp/en/jp/jvn87204433/index.html	Trust: 2.5
url:	https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/	Trust: 1.7
url:	http://jvndb.jvn.jp/jvndb/jvndb-2015-000038	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0895	Trust: 0.8
url:	https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0895	Trust: 0.8
url:	https://wordpress.org/plugins/all-in-one-wp-security-and-firewall all in one wp security & firewall	Trust: 0.3
url:	http://wordpress.org/	Trust: 0.3
url:	jvn.jp/en/jp/jvn87204433/index.html	Trust: 0.3

sources: VULHUB: VHN-78841 // BID: 74387 // JVNDB: JVNDB-2015-000038 // CNNVD: CNNVD-201503-127 // NVD: CVE-2015-0895

CREDITS

JPCERT

Trust: 0.3

sources: BID: 74387

SOURCES

db:	VULHUB	id:	VHN-78841
db:	BID	id:	74387
db:	JVNDB	id:	JVNDB-2015-000038
db:	CNNVD	id:	CNNVD-201503-127
db:	NVD	id:	CVE-2015-0895

LAST UPDATE DATE

2025-04-13T23:39:07.061000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-78841	date:	2015-03-09T00:00:00
db:	BID	id:	74387	date:	2015-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2015-000038	date:	2015-03-11T00:00:00
db:	CNNVD	id:	CNNVD-201503-127	date:	2015-03-09T00:00:00
db:	NVD	id:	CVE-2015-0895	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-78841	date:	2015-03-07T00:00:00
db:	BID	id:	74387	date:	2015-03-06T00:00:00
db:	JVNDB	id:	JVNDB-2015-000038	date:	2015-03-06T00:00:00
db:	CNNVD	id:	CNNVD-201503-127	date:	2015-03-09T00:00:00
db:	NVD	id:	CVE-2015-0895	date:	2015-03-07T02:59:02.723