CVE-2020-8658

Htaccess <= 1.8.1 - Cross-Site Request Forgery

highCross-Site Request Forgery (CSRF)

8.8

CVSS Score

8.8

CVSS Score

high

Severity

1.8.2

Patched in

1452d

Time to patch

Description

The BestWebSoft Htaccess plugin through 1.8.1 for WordPress allows wp-admin/admin.php?page=htaccess.php&action=htaccess_editor CSRF. The flag htccss_nonce_name passes the nonce to WordPress but the plugin does not validate it correctly, resulting in a wrong implementation of anti-CSRF protection. In this way, an attacker is able to direct the victim to a malicious web page that modifies the .htaccess file, and takes control of the website.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=1.8.1

PublishedFebruary 1, 2020

Last updatedJanuary 22, 2024

Affected pluginhtaccess

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/a21df06c-4e56-4625-ae8b-89c9fc046939?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database