Lucene search

[email protected]NVD:CVE-2023-5710

HistoryDec 07, 2023 - 2:15 a.m.

CVE-2023-5710

2023-12-0702:15:06

CWE-862

[email protected]

web.nvd.nist.gov

wordpress

plugin

data access

vulnerability

ajax action

capability check

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

20.2%

JSON

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information such as database credentials.

Affected configurations

Nvd

Node

bowosystem_dashboardRange≤2.8.7wordpress

VendorProductVersionCPE
bowosystem_dashboard*cpe:2.3:a:bowo:system_dashboard:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
bowo	system_dashboard	*	cpe:2.3:a:bowo:system_dashboard::::::wordpress::*

References

plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L7930

plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L7951

www.wordfence.com/threat-intel/vulnerabilities/id/f170379e-e833-42e0-96fd-1e1722a8331c?source=cve

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

20.2%

JSON

Related for NVD:CVE-2023-5710

prion1 cvelist1 cve1 wpvulndb1 wordfence1