6.5
CVE-2023-1889
- EPSS 0.11%
- Veröffentlicht 09.06.2023 06:15:58
- Zuletzt bearbeitet 08.04.2026 19:18:08
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginDirectorist <= 7.5.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Deletion in listing_task
The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts. Please note CVE-2023-35052 appears to be a duplicate of this issue.
Mögliche Gegenmaßnahme
Directorist: AI-Powered Business Directory, Listings & Classified Ads: Update to version 7.5.5, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Directorist: AI-Powered Business Directory, Listings & Classified Ads
Version
*-7.5.4
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wpwax ≫ Directorist SwPlatformwordpress Version <= 7.5.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.288 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
| security@wordfence.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.