Lucene search

K

WpvulndbWPVDB-ID:295E9BDD-7BF9-41EA-9043-20652CD73B6B

HistoryOct 30, 2023 - 12:00 a.m.

Deeper Comments <= 2.1.1 - Subscriber+ Arbitrary Options Update

2023-10-3000:00:00

wpscan.com

1

deeper comments

plugin

unauthorized

update options

arbitrary

ajax

action

authenticated users

subscribers

blog options

7 High

AI Score

Confidence

High

Description The plugin does not have authorisation in its update_options AJAX action, allowing any authenticated users, such as subscribers to update arbitrary blog options (like default_role etc)

References

blog.nintechnet.com/high-severity-vulnerability-in-wordpress-deeper-comments-plugin-unpatched/

www.wordfence.com/threat-intel/vulnerabilities/id/f1cbe675-4c0f-430a-b2db-85ba8605d172

7 High

AI Score

Confidence

High