8.8

CVE-2023-1597

Exploit

EPSS 0.26%
Veröffentlicht 10.07.2023 16:15:48
Zuletzt bearbeitet 21.11.2024 07:39:30
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

tagDiv Cloud Library < 2.7 - Missing Authorization to Arbitrary User Metadata Update

The tagDiv Cloud Library WordPress plugin before 2.7 does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog.

Mögliche Gegenmaßnahme

tagDiv Cloud Library: Update to version 2.7, or a newer patched version

Newspaper - News & WooCommerce WordPress Theme: Update to version 12.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt tagDiv Cloud Library

Version [*, 2.7)

SystemWordPress Theme

≫

Produkt Newspaper - News & WooCommerce WordPress Theme

Version *-12.3

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tagdiv ≫ Cloud Library SwPlatformwordpress Version < 2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.491

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Es wurden noch keine Informationen zu CWE veröffentlicht.

https://wpscan.com/vulnerability/4eafe111-8874-4560-83ff-394abe7a803b

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/24e8d1a4-9853-4f60-a371-7fdbe86d554b

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-1597

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-1597

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-1597

EUVD