NewsSecurity Vulnerabilities

wp-code-highlightjs WordPress Plugin Vulnerability [CVE-2019-12934]

CVE Number – CVE-2019-12934

An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.

wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF,  as demonstrated by an XSS payload in the hljs_additional_css parameter.

An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.

This plugin was closed on June 23, 2019 and is no longer available for download. But some users may still have it installed.

Plugin details & updates – https://wordpress.org/plugins/wp-code-highlightjs/#description

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.