Description
Multiple cross-site scripting (XSS) vulnerabilities in products.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Product name or (2) Price description fields via a request to wp-admin/admin.php. NOTE: This issue may only cross privilege boundaries if used in combination with CVE-2013-5977.
Exploits (1)
References (7)
Core 7
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/123587/WordPress-Cart66-1.5.1.14-Cross-Site-Request-Forgery-Cross-Site-Scripting.html
Broken Link x_refsource_misc
http://archives.neohapsis.com/archives/bugtraq/2013-10/0048.html
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/bugtraq/2013/Oct/52
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://www.exploit-db.com/exploits/28959
Release Notes, Third Party Advisory x_refsource_misc
http://wordpress.org/plugins/cart66-lite/changelog
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/62977
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/87873
Scores
CVSS v3
6.1
EPSS
0.0211
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
cart66/cart66_lite_plugin
< 1.5.1.14
Published
Dec 11, 2019
Tracked Since
Feb 18, 2026