CVE-2023-0911

2023-03-2016:15:12

CWE-862

[email protected]

web.nvd.nist.gov

wordpress

shortcodes plugin

shortcodes ultimate

security

vulnerability

cve-2023-0911

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.6%

JSON

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta (except the user_pass), such as the user email and activation key by default.

Affected configurations

Vulners

NVD

Node

getshortcodesshortcodes_ultimateRange<5.12.8

VendorProductVersionCPE
getshortcodesshortcodes_ultimate*cpe:2.3:a:getshortcodes:shortcodes_ultimate:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
getshortcodes	shortcodes_ultimate	*	cpe:2.3:a:getshortcodes:shortcodes_ultimate::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WordPress Shortcodes Plugin — Shortcodes Ultimate",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "5.12.8"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]