9.8
CVE-2023-28121
- EPSS 93.41%
- Veröffentlicht 12.04.2023 21:15:28
- Zuletzt bearbeitet 21.11.2024 07:54:26
- Quelle support@hackerone.com
- Teams Watchlist Login
- Unerledigt Login
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 4.8.0 < 4.8.2
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.0.0 < 5.0.4
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.1.0 < 5.1.3
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.2.0 < 5.2.2
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.5.0 < 5.5.2
Automattic ≫ Woopayments SwPlatformwordpress Version >= 5.6.0 < 5.6.2
Automattic ≫ Woopayments Version4.9.0 SwPlatformwordpress
Automattic ≫ Woopayments Version5.3.0 SwPlatformwordpress
Automattic ≫ Woopayments Version5.4.0 SwPlatformwordpress
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.41% | 0.998 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.