cbcvebase.
CVE-2019-17233
published 2019-10-07

CVE-2019-17233: Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection.

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.84%
76.4th percentile
Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
etoilewebdesignultimate_faq<= 1.8.24

Detection & IOCsextracted from sources · hover to see the quote

pathFunctions/EWD_UFAQ_Import.php
url/?ufaq={{question}}
  • HTTP response status code 302 with Location header containing 'reauth=1' indicates authentication redirect (used as internal matcher for unauthenticated access check)
  • Successful injection is confirmed when the injected string payload is reflected in the HTTP 200 response body via the /?ufaq= endpoint
  • ·Vulnerability affects ultimate-faqs plugin versions through 1.8.24 only; later versions may be patched

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.