CVE-2023-0749

2023-03-1317:15:12

WPScan

web.nvd.nist.gov

cve-2023-0749

ocean extra

wordpress plugin

authentication bypass

post content disclosure

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

30.4%

JSON

The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones.

Affected configurations

Nvd

Vulners

Node

oceanwpocean_extraRange<2.1.3wordpress

VendorProductVersionCPE
oceanwpocean_extra*cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
oceanwp	ocean_extra	*	cpe:2.3:a:oceanwp:ocean_extra::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Ocean Extra",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "2.1.3"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]