Lucene search

[email protected]CVE-2023-5425

HistoryOct 28, 2023 - 12:15 p.m.

CVE-2023-5425

2023-10-2812:15:37

NVD-CWE-noinfo

[email protected]

web.nvd.nist.gov

wordpress

plugin

vulnerability

unauthorized modification

missing capability check

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

18.2%

JSON

The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_change_user_meta and pmdm_wp_change_post_meta functions in versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain elevated (e.g., administrator) privileges.

CPENameOperatorVersion
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managerlt1.2.1
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq-
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.1.0
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.0.3
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.0.1
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.2.0
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.1.5
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.0.2
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.0
wpexpertplugins:post_meta_data_managerwpexpertplugins post meta data managereq1.1.2

CPE	Name	Operator	Version
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	lt	1.2.1
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	-
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.1.0
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.0.3
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.0.1
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.2.0
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.1.5
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.0.2
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.0
wpexpertplugins:post_meta_data_manager	wpexpertplugins post meta data manager	eq	1.1.2

Rows per page:

1-10 of 131

References

plugins.trac.wordpress.org/changeset/2981559/post-meta-data-manager

www.wordfence.com/threat-intel/vulnerabilities/id/d7f4e710-99a2-49df-a513-725e1daaa18a?source=cve

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

18.2%

JSON

Related for CVE-2023-5425

wpvulndb1 cvelist1 prion1 wordfence1