Lucene search

WordfenceCVELIST:CVE-2023-6638

HistoryJan 11, 2024 - 8:33 a.m.

CVE-2023-6638

2024-01-1108:33:00

Wordfence

www.cve.org

wordpress

gtg product feed

shopping plugin

vulnerability

unauthorized modification

data

capability check

update settings

unauthenticated attackers

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

0.001 Low

EPSS

Percentile

20.5%

JSON

The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘update_settings’ function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings.

CNA Affected

[
  {
    "vendor": "gutengeek",
    "product": "GG Woo Feed for WooCommerce Shopping Feed on Google Facebook and Other Channels",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.2.4",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/gg-woo-feed/trunk/inc/Admin/Admin.php?rev=2933599#L199

www.wordfence.com/threat-intel/vulnerabilities/id/ce6b9b0a-e82e-459a-bddf-1c9354bcec00?source=cve

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

0.001 Low

EPSS

Percentile

20.5%

JSON

Related for CVELIST:CVE-2023-6638