CVE-2020-36713

Опубликовано: 07 июн. 2023

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account.

Ссылки

https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/
Exploit
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cve
Third Party Advisory
https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin/
Exploit
https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-mstore-api-security-bypass-2-1-5/
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/934c3ce9-cf2d-4bf6-9a34-f448cb2e5a1d?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:inspireui:mstore_api:*:*:*:*:*:wordpress:*:*

Версия до 2.1.5 (включая)

EPSS

Процентиль: 73%

0.00786

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-306

Связанные уязвимости

GHSA-4w36-8q8w-r4jp