6.5

CVE-2023-0890

Exploit

EPSS 0.3%
Veröffentlicht 20.03.2023 16:15:12
Zuletzt bearbeitet 21.11.2024 07:38:02
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

Shortcodes Ultimate <= 5.12.7 - Authenticated (Subscriber+) Arbitrary Post Access via Shortcode

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts

Mögliche Gegenmaßnahme

WP Shortcodes Plugin — Shortcodes Ultimate: Update to version 5.12.8, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WP Shortcodes Plugin — Shortcodes Ultimate

Version *-5.12.7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Getshortcodes ≫ Shortcodes Ultimate SwPlatformwordpress Version < 5.12.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.525

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://wpscan.com/vulnerability/8a466f15-f112-4527-8b02-4544a8032671

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/2eddfe94-7232-4d3d-9f3a-f53fc476a012

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-0890

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-0890

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-0890

EUVD