Back to search
CVE-2020-8658
Published: Feb 6, 2020
Modified: Aug 4, 2024
PUBLISHED
Description
The BestWebSoft Htaccess plugin through 1.8.1 for WordPress allows wp-admin/admin.php?page=htaccess.php&action=htaccess_editor CSRF. The flag htccss_nonce_name passes the nonce to WordPress but the plugin does not validate it correctly, resulting in a wrong implementation of anti-CSRF protection. In this way, an attacker is able to direct the victim to a malicious web page that modifies the .htaccess file, and takes control of the website.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://wordpress.org/plugins/htaccess/#developers
x_refsource_MISC
https://wpvulndb.com/vulnerabilities/10060
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now