Lucene search

[email protected]NVD:CVE-2023-1509

HistoryMar 29, 2023 - 11:15 a.m.

CVE-2023-1509

2023-03-2911:15:07

[email protected]

web.nvd.nist.gov

wordpress

cross-site request forgery

gmace plugin

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.009

Percentile

82.6%

JSON

The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing nonce validation on the gmace_manager_server function called via the wp_ajax_gmace_manager AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected configurations

Nvd

Node

gmace_projectgmaceRange≤1.5.2wordpress

VendorProductVersionCPE
gmace_projectgmace*cpe:2.3:a:gmace_project:gmace:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
gmace_project	gmace	*	cpe:2.3:a:gmace_project:gmace::::::wordpress::*

References

plugins.trac.wordpress.org/browser/gmace/trunk/gmace.php?rev=1583327#L84

plugins.trac.wordpress.org/browser/gmace/trunk/inc/filemanager.php?rev=1583319#L27

www.wordfence.com/threat-intel/vulnerabilities/id/826b3913-9a37-4e15-80fd-b35cefb51af8?source=cve

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.009

Percentile

82.6%

JSON

Related for NVD:CVE-2023-1509

cvelist1 cve1 prion1 wpvulndb1 wordfence1