CVE-2017-6955

MEDIUM

WordPress Invite Anyone <1.3.15 - Info Disclosure

Title source: llm

Description

An issue was discovered in by-email/by-email.php in the Invite Anyone plugin before 1.3.15 for WordPress. A user is able to change the subject and the body of the invitation mail that should be immutable, which facilitates a social engineering attack.

References (3)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/96965

[Third Party Advisory] https://github.com/boonebgorges/invite-anyone/compare/2ed5266ad3ae40f8db39adf06f450bbad56e2eac...boonebgorges:6121de08df86c5005b657dd67e48aa02c7982855

[Release Notes, Third Party Advisory] https://wordpress.org/plugins/invite-anyone/changelog/

Scores

CVSS v3 5.3

EPSS 0.0088

EPSS Percentile 75.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-20

Status published

Affected Products (2)

n/a/n/a

teleogistic/invite_anyone < 1.3.13

Timeline

Published Mar 17, 2017

Tracked Since Feb 18, 2026