cbcvebase.
CVE-2014-4535
published 2019-12-27

CVE-2014-4535: Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.98%
89.2th percentile
Cross-site scripting (XSS) vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
import_legacy_media_projectimport_legacy_media<= 0.1
qemuqemu>= 0 < 2.0.0+dfsg-2ubuntu1.32.0.0+dfsg-2ubuntu1.3

Detection & IOCsextracted from sources · hover to see the quote

pathgetid3/demos/demo.mimeonly.php
otherfilename=<script>alert(document.domain)</script>
  • Look for XSS payloads in the 'filename' parameter of requests to getid3/demos/demo.mimeonly.php on WordPress sites running Import Legacy Media plugin 0.1 or earlier.
  • HTTP response Content-Type of text/html with status 200 is expected when the XSS payload is reflected.
  • ·Vulnerability is present only in Import Legacy Media plugin version 0.1 and earlier for WordPress.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv7.5HIGH
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.