CVE-2023-7203

2024-02-2709:15:37

CWE-352

WPScan

web.nvd.nist.gov

4252

smart forms

wordpress

plugin

security

unauthorized access

csrf

nvd

cve-2023-7203

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.7

Confidence

High

EPSS

Percentile

9.0%

JSON

The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries.

Affected configurations

Vulners

Vulnrichment

Node

smart_formsRange<2.6.87wordpress

VendorProductVersionCPE
*smart_forms*cpe:2.3:a:*:smart_forms:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
*	smart_forms	*	cpe:2.3:a::smart_forms::::::wordpress::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Smart Forms",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.6.87"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]