Описание
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
Ссылки
- ExploitThird Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- Release NotesVendor Advisory
- Third Party Advisory
- ExploitThird Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- Release NotesVendor Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.22.3 (исключая)Версия до 2.22.3 (исключая)
Одно из
cpe:2.3:a:updraftplus:updraftplus:*:*:*:*:free:wordpress:*:*
cpe:2.3:a:updraftplus:updraftplus:*:*:*:*:premium:wordpress:*:*
EPSS
Процентиль: 80%
0.01399
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-863
CWE-863
Связанные уязвимости
github
почти 4 года назад
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
EPSS
Процентиль: 80%
0.01399
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-863
CWE-863