6.3
CVE-2023-4000
- EPSS 0.19%
- Veröffentlicht 31.08.2023 06:15:10
- Zuletzt bearbeitet 08.04.2026 18:18:12
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginWaiting: One-click countdowns <= 0.6.2 - Cross-Site Request Forgery
Waiting: One-click countdowns <= 0.6.2 - Cross-Site Request Forgery
The Waiting: One-click countdowns plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to create and delete countdowns, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Mögliche Gegenmaßnahme
Waiting: One-click countdowns: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.084 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| security@wordfence.com | 6.3 | 2.8 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://plugins.trac.wordpress.org/browser/waiting/trunk/waiting.php?rev=2826039
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffba592-6d0d-408f-89fa-079066750b0a?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffba592-6d0d-408f-89fa-079066750b0a