CVE-2023-5251

Опубликовано: 30 окт. 2023

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

The Grid Plus plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'grid_plus_save_layout_callback' and 'grid_plus_delete_callback' functions in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with subscriber privileges or above, to add, update or delete grid layout.

Ссылки

https://plugins.trac.wordpress.org/browser/grid-plus/tags/1.3.2/core/ajax_be.php#L10
Issue Tracking
https://plugins.trac.wordpress.org/browser/grid-plus/tags/1.3.2/core/ajax_be.php#L69
Issue Tracking
https://www.wordfence.com/threat-intel/vulnerabilities/id/d2d34c84-473c-49f8-b55c-c869b5479974?source=cve
Third Party Advisory
https://plugins.trac.wordpress.org/browser/grid-plus/tags/1.3.2/core/ajax_be.php#L10
Issue Tracking
https://plugins.trac.wordpress.org/browser/grid-plus/tags/1.3.2/core/ajax_be.php#L69
Issue Tracking
https://www.wordfence.com/threat-intel/vulnerabilities/id/d2d34c84-473c-49f8-b55c-c869b5479974?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:g5theme:grid_plus:*:*:*:*:*:wordpress:*:*

Версия до 1.3.2 (включая)

EPSS

Процентиль: 16%

0.00049

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-862

Связанные уязвимости

GHSA-cxcr-4mx7-3jpm