8.1
CVE-2023-6966
- EPSS 0.42%
- Veröffentlicht 06.06.2024 02:15:52
- Zuletzt bearbeitet 21.11.2024 08:44:56
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginThe Moneytizer <= 9.6.3 - Missing Authorization via multiple AJAX actions
The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.5.20. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions.
Mögliche Gegenmaßnahme
The Moneytizer: Update to version 10.0.1, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
The Moneytizer
Version
*-9.6.3
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Themoneytizer ≫ The Moneytizer SwPlatformwordpress Version < 10.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.614 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.