CVE-2023-5537

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

he Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumet_options_page() function. This makes it possible for unauthenticated attackers to remove user meta for arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

References

Link	Resource
https://plugins.trac.wordpress.org/browser/delete-usermetas/trunk/delete-usermetas.php#L57	Patch
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2979918%40delete-usermetas&new=2979918%40delete-usermetas&sfp_email=&sfph_mail=	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/23b46e5b-ce1e-4215-921c-edea7fd6c56a?source=cve	Third Party Advisory
https://plugins.trac.wordpress.org/browser/delete-usermetas/trunk/delete-usermetas.php#L57	Patch
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2979918%40delete-usermetas&new=2979918%40delete-usermetas&sfp_email=&sfph_mail=	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/23b46e5b-ce1e-4215-921c-edea7fd6c56a?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:joselazo:delete_usermeta:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:41

Type	Values Removed	Values Added
References	~~() https://plugins.trac.wordpress.org/browser/delete-usermetas/trunk/delete-usermetas.php#L57 - Patch~~	() https://plugins.trac.wordpress.org/browser/delete-usermetas/trunk/delete-usermetas.php#L57 - Patch
References	~~() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2979918%40delete-usermetas&new=2979918%40delete-usermetas&sfp_email=&sfph_mail= - Patch~~	() https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2979918%40delete-usermetas&new=2979918%40delete-usermetas&sfp_email=&sfph_mail= - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/23b46e5b-ce1e-4215-921c-edea7fd6c56a?source=cve - Third Party Advisory~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/23b46e5b-ce1e-4215-921c-edea7fd6c56a?source=cve - Third Party Advisory

Information

Published : 2023-11-22 16:15

Updated : 2024-11-21 08:41

NVD link : CVE-2023-5537

Mitre link : CVE-2023-5537

CVE.ORG link : CVE-2023-5537

JSON object : View

Products Affected

joselazo

delete_usermeta

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

4.3 /10