CVE-2023-0453

2023-02-2109:15:13

WPScan

web.nvd.nist.gov

wp private message

wordpress plugin

access control

security issue

nvd

cve-2023-0453

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

25.5%

JSON

The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID.

Affected configurations

Nvd

Vulners

Node

apusthemeswp_private_messagingRange<1.0.6wordpress

VendorProductVersionCPE
apusthemeswp_private_messaging*cpe:2.3:a:apusthemes:wp_private_messaging:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
apusthemes	wp_private_messaging	*	cpe:2.3:a:apusthemes:wp_private_messaging::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WP Private Message",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "1.0.6"
      }
    ],
    "defaultStatus": "unaffected"
  }
]