CVE-2023-5525

2023-11-2717:15:08

CWE-862

[email protected]

web.nvd.nist.gov

cve-2023-5525

wordpress plugin

authorization bypass

nonce

ajax

security vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.0%

JSON

The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the toggle_auto_update AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

Affected configurations

Vulners

NVD

Node

limitloginattemptslimit_login_attempts_reloadedRange<2.25.26

VendorProductVersionCPE
limitloginattemptslimit_login_attempts_reloaded*cpe:2.3:a:limitloginattempts:limit_login_attempts_reloaded:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
limitloginattempts	limit_login_attempts_reloaded	*	cpe:2.3:a:limitloginattempts:limit_login_attempts_reloaded::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Limit Login Attempts Reloaded",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "2.25.26"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]