CVE-2023-7286

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-7286

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

T

he plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above.

References
Link Resource
https://plugins.trac.wordpress.org/changeset?new=2828750%40acf-quickedit-fields&old=2816195%40acf-quickedit-fields#file89
https://wpscan.com/vulnerability/3538e80e-c2c5-4e7b-97c3-b7debad7a136
https://www.wordfence.com/threat-intel/vulnerabilities/id/5954bdc0-09e9-4691-95ff-02f7304514c9?source=cve
Configurations

No configuration.

History

16 Oct 2024, 16:38

Type Values Removed Values Added
Summary
  • (es) El complemento ACF Quick Edit Fields para WordPress es vulnerable a la referencia directa a objetos inseguros en versiones hasta la 3.2.2 incluida. Esto permite que los atacantes sin la capacidad edit_users accedan a los metadatos de otros usuarios, incluidos los usuarios de nivel colaborador y superiores.

16 Oct 2024, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-16 07:15

Updated : 2024-10-16 16:38

NVD link : CVE-2023-7286

Mitre link : CVE-2023-7286

CVE.ORG link : CVE-2023-7286

JSON object : View

Products Affected

No product.

CWE
CWE-639

Authorization Bypass Through User-Controlled Key