CVE-2023-4600

Опубликовано: 30 авг. 2023

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwp_activate_addons_page_plugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins.

Ссылки

https://affiliatewp.com/changelog/
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/eab422b8-8cf5-441e-a21f-6a0e1b7642b2?source=cve
Third Party Advisory
https://affiliatewp.com/changelog/
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/eab422b8-8cf5-441e-a21f-6a0e1b7642b2?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:affiliatewp:affiliatewp:*:*:*:*:*:wordpress:*:*

Версия до 2.14.0 (включая)

EPSS

Процентиль: 22%

0.00072

Низкий

4.3 Medium

CVSS3

Дефекты

Связанные уязвимости

GHSA-jq25-pgm7-4vh9