CVE-2023-5975

EPSS 0.31%
Veröffentlicht 07.11.2023 11:15:12
Zuletzt bearbeitet 08.04.2026 18:18:34
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

ImageMapper <= 1.2.6 - Cross-Site Request Forgery to Plugin Settings Change via ajax

The ImageMapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.6. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

Mögliche Gegenmaßnahme

ImageMapper: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Imagemapper Project ≫ Imagemapper SwPlatformwordpress Version <= 1.2.6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt ImageMapper

Version *-1.2.6

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.228

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://plugins.trac.wordpress.org/browser/imagemapper/tags/1.2.6/imagemapper.php#L904

Patch

https://plugins.trac.wordpress.org/browser/imagemapper/tags/1.2.6/imagemapper.php#L916

Patch

https://plugins.trac.wordpress.org/browser/imagemapper/tags/1.2.6/imagemapper.php#L939

Patch

https://plugins.trac.wordpress.org/browser/imagemapper/tags/1.2.6/imagemapper.php#L958

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/a128018b-f19b-4b18-a53c-cf1310d3d0e7?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/a128018b-f19b-4b18-a53c-cf1310d3d0e7

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-5975

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-5975

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-5975

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-5975