CVE-2015-2792
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
30/03/2015
Last modified:
12/04/2025
Description
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.
Impact
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:wpml:wpml:*:*:*:*:*:wordpress:*:* | 3.1.8 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://klikki.fi/adv/wpml.html
- http://packetstormsecurity.com/files/130839/WordPress-WPML-Missing-Authentication.html
- http://seclists.org/fulldisclosure/2015/Mar/79
- http://wpml.org/2015/03/wpml-security-update-bug-and-fix/
- http://klikki.fi/adv/wpml.html
- http://packetstormsecurity.com/files/130839/WordPress-WPML-Missing-Authentication.html
- http://seclists.org/fulldisclosure/2015/Mar/79
- http://wpml.org/2015/03/wpml-security-update-bug-and-fix/