Infosec: Seeking advice regarding CVSS scoring.

One of the hardest tasks in my dayjob (at WPScan.com) is to assign CVSS scores. Particularly the Availability impact metric is a source of internal arguments. Personally I think the CVSS v3.1 Users Guide is quite clear on the subject, but we still end up arguing how this should be understood in the context of WordPress plugins.

Typically the argument is that if a vulnerability lets an attacker upload arbitrary files or execute arbitrary code, that amounts to a high impact on availability. The way I read the CVSS docs, this would only affect the Confidentiality and Integrity impact metrics, leaving Availability at None or at most Low.

Does anybody have any advice or insights into how we should understand and score this metric?

#infosec #WordPress #php #CVSS

2