6.3
CVE-2023-2067
- EPSS 0.07%
- Veröffentlicht 09.06.2023 06:16:02
- Zuletzt bearbeitet 21.11.2024 07:57:52
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginAnnouncement & Notification Banner – Bulletin <= 3.7.0 - Cross-Site Request Forgery
The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce validation on the 'bulletinwp_update_bulletin_status', 'bulletinwp_update_bulletin', 'bulletinwp_update_settings', 'bulletinwp_update_status', 'bulletinwp_export_bulletins', and 'bulletinwp_import_bulletins' functions in versions up to, and including, 3.7.0. This makes it possible for unauthenticated attackers to modify the plugin's settings, modify bulletins, create new bulletins, and more, via a forged request granted they can trick a site's user into performing an action such as clicking on a link.
Mögliche Gegenmaßnahme
Announcement & Notification Banner – Bulletin: Update to version 3.7.1, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Announcement & Notification Banner – Bulletin
Version
*-3.7.0
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Bulletin ≫ Announcement & Notification Banner - Bulletin SwPlatformwordpress Version <= 3.7.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.07% | 0.205 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
| security@wordfence.com | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
|