4.3

CVE-2023-0328

Exploit

WPCode < 2.0.7 - Contributor+ WPCode Library Auth Key Update/Deletion

WPCode <= 2.0.6 - Missing Authorization to Sensitive Key Disclosure/Update

The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication (such as update and delete the auth key).
Mögliche Gegenmaßnahme
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager: Update to version 2.0.7, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WpcodeWpcode SwPlatformwordpress Version < 2.0.7
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager
Version *-2.0.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.8% 0.518
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://wpscan.com/vulnerability/3c4318a9-a3c5-409b-a52e-edd8583c3c43
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b1cae3-dc08-43b1-9a20-62b7263efeba
Third Party Advisory