CVE-2015-2315

Wpml < 3.1.8 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the target parameter in a reminder_popup action to the default URI.

Exploits (2)

nomisec WORKING POC 2 stars

by weidongl74 · poc

https://github.com/weidongl74/cve-2015-2315-report

View Code ZIP pw:eip

exploitdb WRITEUP

webappsphp

https://www.exploit-db.com/exploits/36414

View Code ZIP pw:eip

References (5)

[Exploit] http://klikki.fi/adv/wpml.html

[Exploit] http://packetstormsecurity.com/files/130810/WordPress-WPML-XSS-Deletion-SQL-Injection.html

[Exploit] http://seclists.org/fulldisclosure/2015/Mar/71

[Vendor Advisory] http://wpml.org/2015/03/wpml-security-update-bug-and-fix/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/534862/100/0/threaded

Scores

EPSS 0.0784

EPSS Percentile 92.0%

Details

CWE

CWE-79

Status published

Products (1)

wpml/wpml < 3.1.8

Published Mar 17, 2015

Tracked Since Feb 18, 2026