6.5
CVE-2023-0890
- EPSS 0.65%
- Veröffentlicht 20.03.2023 16:15:12
- Zuletzt bearbeitet 21.11.2024 07:38:02
- Quelle contact@wpscan.com
- CVE-Watchlists
- Unerledigt
LoginShortcodes Ultimate < 5.12.8 - Subscriber+ Arbitrary Post Access
Shortcodes Ultimate <= 5.12.7 - Authenticated (Subscriber+) Arbitrary Post Access via Shortcode
The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of protected posts
Mögliche Gegenmaßnahme
Shortcodes Ultimate – Content Elements: Update to version 5.12.8, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Getshortcodes ≫ Shortcodes Ultimate SwPlatformwordpress Version < 5.12.8
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Shortcodes Ultimate – Content Elements
Version
*-5.12.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.65% | 0.464 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://wpscan.com/vulnerability/8a466f15-f112-4527-8b02-4544a8032671
https://www.wordfence.com/threat-intel/vulnerabilities/id/2eddfe94-7232-4d3d-9f3a-f53fc476a012