Lucene search

[email protected]NVD:CVE-2023-5426

HistoryOct 28, 2023 - 12:15 p.m.

CVE-2023-5426

2023-10-2812:15:38

[email protected]

web.nvd.nist.gov

wordpress

plugin

vulnerability

unauthorized modification

data

capability check

cve-2023-5426

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

34.0%

JSON

The Post Meta Data Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmdm_wp_delete_user_meta, pmdm_wp_delete_term_meta, and pmdm_wp_ajax_delete_meta functions in versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to delete user, term, and post meta belonging to arbitrary users.

Affected configurations

Nvd

Node

wpexpertpluginspost_meta_data_managerRange<1.2.1wordpress

VendorProductVersionCPE
wpexpertpluginspost_meta_data_manager*cpe:2.3:a:wpexpertplugins:post_meta_data_manager:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
wpexpertplugins	post_meta_data_manager	*	cpe:2.3:a:wpexpertplugins:post_meta_data_manager::::::wordpress::*

References

plugins.trac.wordpress.org/changeset/2981559/post-meta-data-manager

www.wordfence.com/threat-intel/vulnerabilities/id/d6a7f882-4582-4b08-9597-329d140ad782?source=cve

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

34.0%

JSON

Related for NVD:CVE-2023-5426

cvelist1 prion1 cve1 wpvulndb1 wordfence1