CVE-2019-12934
HIGHwp-code-highlightjs < 0.6.2 - Cross-Site Request Forgery via hljs_additional_css Parameter
Title source: llmDescription
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
References (3)
Core 3
Core References
Product x_refsource_misc
https://wordpress.org/plugins/wp-code-highlightjs/#developers
Exploit, Third Party Advisory x_refsource_misc
https://zeroauth.ltd/blog/2019/07/17/cve-2019-12934-wp-code-highlightjs-wordpress-plugin-csrf-leads-to-blog-wide-injected-script-html/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/109331
Scores
CVSS v3
8.8
EPSS
0.0134
EPSS Percentile
68.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
CWE-79
Status
published
Products (1)
wp-code-highlightjs_project/wp-code-highlightjs
< 0.6.2
Published
Jul 20, 2019
Tracked Since
Feb 18, 2026