CVE-2023-0335

🗓️ 27 Mar 2023 15:37:21Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 48 Views🌐 WEB

The WP Shamsi plugin 4.3.3 has CSRF and access control vulnerabilities

Reporter	Title	Published	Views	Family All 14
Circl	CVE-2023-0335	27 Mar 202320:56	–	circl
CNNVD	WordPress plugin WP Shamsi 安全漏洞	27 Mar 202300:00	–	cnnvd
Cvelist	CVE-2023-0335 WP Shamsi <= 4.3.3 - Subscriber+ Attachment Deletion	27 Mar 202315:37	–	cvelist
EUVD	EUVD-2023-12396	3 Oct 202520:07	–	euvd
NVD	CVE-2023-0335	27 Mar 202316:15	–	nvd
OSV	CVE-2023-0335	27 Mar 202316:15	–	osv
Patchstack	WordPress WP Shamsi Plugin <= 4.3.3 is vulnerable to Arbitrary File Deletion	28 Mar 202300:00	–	patchstack
Prion	Improper access control	27 Mar 202316:15	–	prion
Positive Technologies	PT-2023-16188 · WordPress · Wp Shamsi	27 Mar 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-0335	23 May 202502:51	–	redhatcve

NVD

Vulners

Node

wpvar wp_shamsiRange≤4.3.3wordpress

[
  {
    "vendor": "Unknown",
    "product": "WP Shamsi",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "4.3.3"
      }
    ],
    "defaultStatus": "affected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/f7a20bea-c3d5-431b-bdcf-e189c81a561a

Parameter	Position	Path	Description	CWE
action	request body	wp-admin/admin-ajax.php	CSRF and broken access control allow low-privilege users to delete attachments via admin-ajax.php action exopite-sof-file-batch-delete.	CWE-352, CWE-862
media-ids[]	request body	wp-admin/admin-ajax.php	CSRF and broken access control allow low-privilege users to delete attachments via admin-ajax.php action exopite-sof-file-batch-delete.	CWE-352, CWE-862

19 Feb 2025 21:15Current

6.7Medium risk

Vulners AI Score6.7

CVSS 3.16.5

EPSS0.00132

SSVC

wp shamsi wordpress plugin cve-2023-0335 csrf access control vulnerability