Lucene search

[email protected]NVD:CVE-2023-5712

HistoryDec 07, 2023 - 2:15 a.m.

CVE-2023-5712

2023-12-0702:15:06

CWE-862

[email protected]

web.nvd.nist.gov

wordpress

dashboard

vulnerability

unauthorized access

data

missing capability check

ajax action

versions

sensitive information

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

20.2%

JSON

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive global value information.

Affected configurations

Nvd

Node

bowosystem_dashboardRange≤2.8.7wordpress

VendorProductVersionCPE
bowosystem_dashboard*cpe:2.3:a:bowo:system_dashboard:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
bowo	system_dashboard	*	cpe:2.3:a:bowo:system_dashboard::::::wordpress::*

References

plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L7382

plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L7403

www.wordfence.com/threat-intel/vulnerabilities/id/70f14d9d-6ed6-4bcb-944d-f9c5aa6a17a6?source=cve

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

20.2%

JSON

Related for NVD:CVE-2023-5712

cve1 cvelist1 prion1 wpvulndb1 wordfence1