Lucene search

[email protected]NVD:CVE-2023-4247

HistoryJan 11, 2024 - 9:15 a.m.

CVE-2023-4247

2024-01-1109:15:46

CWE-352

[email protected]

web.nvd.nist.gov

givewp plugin

cross-site request forgery

wordpress

nonce validation

sendwp plugin

unauthenticated attackers

site administrator

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

28.6%

JSON

The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_sendwp_disconnect function. This makes it possible for unauthenticated attackers to deactivate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected configurations

Nvd

Node

givewpgivewpRange≤2.33.3wordpress

VendorProductVersionCPE
givewpgivewp*cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
givewp	givewp	*	cpe:2.3:a:givewp:givewp::::::wordpress::*

References

plugins.trac.wordpress.org/browser/give/trunk/includes/admin/misc-functions.php?rev=2772225#L333

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2974851%40give%2Ftrunk&old=2973080%40give%2Ftrunk&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/e32d9104-5a39-4455-b76a-e24ae787bdfd?source=cve

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

28.6%

JSON

Related for NVD:CVE-2023-4247

cve1 cvelist1 wpvulndb1 prion1 wordfence1