Lucene search

K
cve[email protected]CVE-2023-3459
HistoryJul 18, 2023 - 3:15 a.m.

CVE-2023-3459

2023-07-1803:15:55
web.nvd.nist.gov
27
cve-2023-3459
wordpress
plugin
vulnerability
data modification
admin account takeover

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.7%

The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘hf_update_customer’ function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.

Affected configurations

Vulners
NVD
Node
webtoffeeimport_export_wordpress_usersRange2.4.1
VendorProductVersionCPE
webtoffeeimport_export_wordpress_users*cpe:2.3:a:webtoffee:import_export_wordpress_users:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "webtoffee",
    "product": "Export and Import Users and Customers",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "2.4.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.7%

Related for CVE-2023-3459