8.8

CVE-2023-2546

EPSS 2.04%
Published 06.06.2023 02:15:09
Last modified 21.11.2024 07:58:48
Source security@wordfence.com
Teams watchlist Login
Open Login

The WP User Switch plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.2. This is due to incorrect authentication checking in the 'wpus_allow_user_to_admin_bar_menu' function with the 'wpus_who_switch' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the username.

Affected products Warnungen 0 Metrics 3 CWE 0 References 7

Data is provided by the National Vulnerability Database (NVD)

Wp User Switch Project ≫ Wp User Switch SwPlatformwordpress Version <= 1.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.04%	0.832

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

https://lana.codes/lanavdb/0cfdc5fa-d219-46bb-b8cc-693ac28a9e92/

https://plugins.trac.wordpress.org/browser/wp-user-switch/trunk/inc/functions.php?rev=2237142#L33

Product

https://plugins.trac.wordpress.org/changeset/2921182/wp-user-switch/trunk/inc/functions.php

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/e89d912d-fa7a-4fb1-8872-95fa861c21ca?source=cve

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-2546

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2546

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2546

EUVD