免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2020-37225CVSS 6.4

CVE-2020-37225: XSS in Powie's WHOIS Domain Check

平台

wordpress

组件

whois-domain-check

在NVD查看
保存
正在翻译为您的语言…

CVE-2020-37225 describes a persistent cross-site scripting (XSS) vulnerability found in Powie's WHOIS Domain Check versions 0.9.31–0.9.31. This vulnerability allows authenticated attackers to inject arbitrary JavaScript code, potentially leading to account compromise and privilege escalation. The vulnerability stems from unsanitized input fields within the plugin's configuration page, pwhois_settings.php. While a fix is not yet available, mitigation strategies can reduce risk.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

An attacker exploiting this XSS vulnerability can inject malicious JavaScript code into the Powie's WHOIS Domain Check plugin's settings. Because the vulnerability requires authentication, the attacker needs valid credentials to access the plugin's configuration page (pwhois_settings.php). Successful exploitation allows the attacker to execute JavaScript in the context of the administrator user, potentially stealing session cookies, redirecting users to malicious websites, or modifying plugin settings. The impact is significant as it can lead to complete control over the WordPress site if the administrator's session is compromised. This vulnerability shares similarities with other XSS vulnerabilities where attackers leverage unsanitized input to inject malicious scripts.

利用背景翻译中…

CVE-2020-37225 was published on May 13, 2026. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. No public Proof-of-Concept (POC) exploits have been widely reported. The vulnerability's severity is rated as medium (CVSS 6.4), suggesting a moderate probability of exploitation if a suitable exploit is developed and widely distributed. It is not listed on KEV or EPSS.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

CISA SSVC

利用情况poc
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N6.4MEDIUMAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityLow敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
低 — 可访问部分数据。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件whois-domain-check
供应商Powie
最低版本0.9.31
最高版本0.9.31

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期

缓解措施和替代方案翻译中…

Since a patched version of Powie's WHOIS Domain Check is not yet available, immediate mitigation is crucial. The primary workaround is to restrict access to the pwhois_settings.php configuration page. Implement role-based access control within WordPress to limit which users can access this page. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block suspicious requests targeting the plugin's settings. Regularly review and audit plugin settings for any unusual or unexpected changes. Monitor WordPress logs for any signs of attempted XSS exploitation, such as unusual JavaScript execution patterns. Verify access controls after implementing these mitigations by attempting to access the configuration page with a non-administrator user.

修复方法翻译中…

Actualice el plugin Powie's WHOIS Domain Check a la última versión disponible para mitigar la vulnerabilidad de XSS.  Verifique la página de soporte del plugin o el repositorio de WordPress para obtener la versión más reciente y las instrucciones de actualización.  Además, revise y sanee cualquier entrada de usuario en la configuración del plugin para prevenir futuras vulnerabilidades.

常见问题翻译中…

What is CVE-2020-37225 — XSS in Powie's WHOIS Domain Check?

CVE-2020-37225 is a cross-site scripting (XSS) vulnerability affecting Powie's WHOIS Domain Check versions 0.9.31–0.9.31. It allows authenticated attackers to inject JavaScript code via plugin settings, potentially compromising administrator accounts.

Am I affected by CVE-2020-37225 in Powie's WHOIS Domain Check?

You are affected if your WordPress website uses Powie's WHOIS Domain Check version 0.9.31. Check your plugin versions and implement mitigation strategies until a patch is available.

How do I fix CVE-2020-37225 in Powie's WHOIS Domain Check?

A patch is not yet available. Mitigate by restricting access to the plugin's configuration page, using a WAF, and monitoring logs for suspicious activity.

Is CVE-2020-37225 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2020-37225, but the vulnerability remains a potential risk.

Where can I find the official Powie's WHOIS Domain Check advisory for CVE-2020-37225?

Check the Powie's WHOIS Domain Check website and WordPress plugin repository for updates and advisories related to CVE-2020-37225.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描
live免费扫描

立即扫描您的WordPress项目 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...