9.8
CVE-2023-28121
- EPSS 93.41%
- Published 12.04.2023 21:15:28
- Last modified 21.11.2024 07:54:26
- Source support@hackerone.com
- Teams watchlist Login
- Open Login
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
Data is provided by the National Vulnerability Database (NVD)
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 4.8.0 < 4.8.2
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.0.0 < 5.0.4
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.1.0 < 5.1.3
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.2.0 < 5.2.2
Automattic ≫ Woocommerce Payments SwPlatformwordpress Version >= 5.5.0 < 5.5.2
Automattic ≫ Woopayments SwPlatformwordpress Version >= 5.6.0 < 5.6.2
Automattic ≫ Woopayments Version4.9.0 SwPlatformwordpress
Automattic ≫ Woopayments Version5.3.0 SwPlatformwordpress
Automattic ≫ Woopayments Version5.4.0 SwPlatformwordpress
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.41% | 0.998 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.