Lucene search

WordfenceCVELIST:CVE-2023-3053

HistoryJun 02, 2023 - 11:37 p.m.

CVE-2023-3053

2023-06-0223:37:56

Wordfence

www.cve.org

wordpress

page builder

azexo

plugin

vulnerability

unauthorized modification

data

capability check

authenticated attackers

post type

post status

cve-2023-3053

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.3%

JSON

The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘azh_add_post’ function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status.

CNA Affected

[
  {
    "vendor": "azexo",
    "product": "Page Builder with Image Map by AZEXO",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.27.133",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/page-builder-by-azexo/trunk/azexo_html.php#L4085

plugins.trac.wordpress.org/browser/page-builder-by-azexo/trunk/azexo_html.php#L4137

www.wordfence.com/threat-intel/vulnerabilities/id/dd56cb73-1c40-44b1-b713-c0291832d988?source=cve

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.3%

JSON

Related for CVELIST:CVE-2023-3053