Описание
The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers.
Ссылки
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 4.0.0 (включая)
cpe:2.3:a:donation_button_project:donation_button:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 36%
0.00153
Низкий
4.3 Medium
CVSS3
Дефекты
Связанные уязвимости
CVSS3: 4.3
github
около 3 лет назад
The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers.
EPSS
Процентиль: 36%
0.00153
Низкий
4.3 Medium
CVSS3