Lucene search

WordfenceCVELIST:CVE-2023-2284

HistoryJun 09, 2023 - 12:32 p.m.

CVE-2023-2284

2023-06-0912:32:00

Wordfence

www.cve.org

wordpress

plugin vulnerability

data modification

capability check

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.6

Confidence

High

EPSS

0.001

Percentile

40.5%

JSON

The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers with subscriber-level or higher to make changes to the plugin’s settings.

CNA Affected

[
  {
    "vendor": "wpwhitesecurity",
    "product": "WP Activity Log Premium",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "4.5.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2911239%40wp-security-audit-log%2Ftrunk&old=2897171%40wp-security-audit-log%2Ftrunk&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/6e29fd6b-462a-42be-9a2a-b6717b20a937?source=cve

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.6

Confidence

High

EPSS

0.001

Percentile

40.5%

JSON

Related for CVELIST:CVE-2023-2284