Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:01093915
HistoryMay 15, 2023 - 12:00 a.m.

JVN#01093915: Multiple vulnerabilities in WordPress Plugin "MW WP Form" and "Snow Monkey Forms"

2023-05-1500:00:00
Japan Vulnerability Notes
jvn.jp
11
wordpress
plugin
vulnerabilities
mw wp form
snow monkey forms
remote attacker
website alteration
denial-of-service
sensitive information
update

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.004 Low

EPSS

Percentile

73.9%

JSON

WordPress Plugin “MW WP Form” and “Snow Monkey Forms” provided by Monkey Wrench Inc. contain multiple vulnerabilities listed below.

Directory traversal (CWE-22) - CVE-2023-28408

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L Base Score: 7.2
CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:P Base Score: 6.4

Unrestricted upload of file with dangerous type (CWE-434) - CVE-2023-28409

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3
CVSS v2 AV:N/AC:L/Au:N/C:N/I:P/A:N Base Score: 5.0

Directory traversal (CWE-22) - CVE-2023-28413

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Base Score: 8.3
CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5

Impact

  • A remote unauthenticated attacker may alter the website or cause a denial-of-service (DoS) condition, and obtain sensitive information depending on settings - CVE-2023-28408
  • A remote unauthenticated attacker may upload an unintended file - CVE-2023-28409
  • A remote unauthenticated attacker may obtain sensitive information, alter the website, or cause a denial-of-service (DoS) condition - CVE-2023-28413

Solution

Update the plugin
Update the plugin according to the information provided by the developer.

Products Affected

CVE-2023-28408, CVE-2023-28409

  • MW WP Form versions v4.4.2 and earlier
    CVE-2023-28413

  • Snow Monkey Forms versions v5.0.6 and earlier

Related

wpvulndb 2
nvd 3
cve 3
cvelist 3
prion 3
wordfence 1
wpvulndb
wpvulndb
MW WP Form < 4.4.3 - Unauthenticated Path Traversal
2023-05-15 00:00:00
Snow Monkey Forms < 5.0.7 - Unauthenticated Path Traversal
2023-05-15 00:00:00
nvd
nvd
CVE-2023-28409
2023-05-23 02:15:10
CVE-2023-28408
2023-05-23 02:15:10
CVE-2023-28413
2023-05-23 02:15:10
cve
cve
CVE-2023-28408
2023-05-23 02:15:10
CVE-2023-28409
2023-05-23 02:15:10
CVE-2023-28413
2023-05-23 02:15:10
cvelist
cvelist
CVE-2023-28408
2023-05-23 00:00:00
CVE-2023-28409
2023-05-23 00:00:00
CVE-2023-28413
2023-05-23 00:00:00
prion
prion
Directory traversal
2023-05-23 02:15:00
Unrestricted file upload
2023-05-23 02:15:00
Directory traversal
2023-05-23 02:15:00
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)
2023-05-18 12:45:54

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.004 Low

EPSS

Percentile

73.9%

JSON
Related for JVN:01093915
wpvulndb2nvd3cve3cvelist3prion3wordfence1