CVE-2023-3244

2023-08-1707:15:43

[email protected]

web.nvd.nist.gov

cve

2023

3244

wordpress

plugin

vulnerability

data modification

capability check

ajax action

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.2%

JSON

The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to reset the plugin’s settings. NOTE: After attempting to contact the developer with no response, and reporting this to the WordPress plugin’s team 30 days ago we are disclosing this issue as it still is not updated.

Affected configurations

Vulners

NVD

Node

happy-coderscomments_like_dislikeRange≤1.1.9

CPENameOperatorVersion
wphappycoders:comments_like_dislikewphappycoders comments like dislikele1.1.9

CPE	Name	Operator	Version
wphappycoders:comments_like_dislike	wphappycoders comments like dislike	le	1.1.9

CNA Affected

[
  {
    "vendor": "happy-coders",
    "product": "Comments Like Dislike",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.1.9",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]