CVE-2023-6279

2024-01-2915:15:09

CWE-862

WPScan

web.nvd.nist.gov

cve-2023-6279

woostify

wordpress

plugin

authorization

ajax

dos

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

AI Score

Confidence

High

EPSS

Percentile

13.3%

JSON

The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to ‘activated’ which could lead to DoS when using a specific option name

Affected configurations

Nvd

Vulners

Node

wootsifysites_libraryRange<1.4.8wordpress

VendorProductVersionCPE
wootsifysites_library*cpe:2.3:a:wootsify:sites_library:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
wootsify	sites_library	*	cpe:2.3:a:wootsify:sites_library::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "Woostify Sites Library",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "1.4.8"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]