8.8
CVE-2023-1874
- EPSS 4.01%
- Veröffentlicht 12.04.2023 14:15:07
- Zuletzt bearbeitet 21.11.2024 07:40:03
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginWP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation
The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wpda_role[]' parameter during a profile update. This requires the 'Enable role management' setting to be enabled for the site.
Mögliche Gegenmaßnahme
WP Data Access – No-Code App Builder with Tables, Forms, Charts & Maps: Update to version 5.3.8, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
WP Data Access – No-Code App Builder with Tables, Forms, Charts & Maps
Version
* - 5.3.7
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wpdataaccess ≫ Wp Data Access SwPlatformwordpress Version <= 5.3.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 4.01% | 0.88 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security@wordfence.com | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|