Information Disclosure

2023-11-1206:43:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

wordpress

vulnerability

malicious

plugin

information

disclosure

attacker

rest api

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.7%

JSON

wordpress is vulnerable to Information Disclosure. An attacker could exploit this vulnerability by tricking a user into installing a malicious Popup Builder plugin or by uploading a malicious plugin to a vulnerable WordPress installation. The malicious plugin would then inject malicious code into the WordPress database allowing the attacker to search for restricted user fields via the REST API.

CPENameOperatorVersion
wordpress:sideq5.5.3+dfsg1-1
wordpress:sideq5.6.1+dfsg1-1
wordpress:bustereq5.0.12+dfsg1-0+deb10u1
wordpress:bustereq5.0.11+dfsg1-0+deb10u1
wordpress:bustereq5.0.10+dfsg1-0+deb10u1
wordpress:sideq5.5.3+dfsg1-1
wordpress:sideq5.6.1+dfsg1-1
wordpress:bustereq5.0.12+dfsg1-0+deb10u1
wordpress:bustereq5.0.11+dfsg1-0+deb10u1
wordpress:bustereq5.0.10+dfsg1-0+deb10u1

Name	Operator	Version
wordpress:sid	eq	5.5.3+dfsg1-1
wordpress:sid	eq	5.6.1+dfsg1-1
wordpress:buster	eq	5.0.12+dfsg1-0+deb10u1
wordpress:buster	eq	5.0.11+dfsg1-0+deb10u1
wordpress:buster	eq	5.0.10+dfsg1-0+deb10u1
wordpress:sid	eq	5.5.3+dfsg1-1
wordpress:sid	eq	5.6.1+dfsg1-1
wordpress:buster	eq	5.0.12+dfsg1-0+deb10u1
wordpress:buster	eq	5.0.11+dfsg1-0+deb10u1
wordpress:buster	eq	5.0.10+dfsg1-0+deb10u1