Lucene search

[email protected]NVD:CVE-2023-0749

HistoryMar 13, 2023 - 5:15 p.m.

CVE-2023-0749

2023-03-1317:15:12

[email protected]

web.nvd.nist.gov

cve-2023-0749

plugin vulnerability

authenticated user access

arbitrary post retrieval

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

30.4%

JSON

The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones.

Affected configurations

Nvd

Node

oceanwpocean_extraRange<2.1.3wordpress

VendorProductVersionCPE
oceanwpocean_extra*cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
oceanwp	ocean_extra	*	cpe:2.3:a:oceanwp:ocean_extra::::::wordpress::*

References

wpscan.com/vulnerability/9caa8d2e-383b-47d7-8d21-d2ed6b1664cb

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

30.4%

JSON

Related for NVD:CVE-2023-0749

cvelist1 prion1 openvas1 wpexploit1 wpvulndb1 cve1 wordfence1