PT-2023-17636 · WordPress · Buy Me A Coffee – Button/Widget Plugin

István Márton

Publicado

2023-07-11

Atualizado

2023-07-18

CVE-2023-2078

CVSS v3.1

7.3

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Buy Me a Coffee – Button and Widget Plugin versions up to 3.7

Description The issue allows unauthorized modification of data due to missing capability checks on the recieve post, bmc disconnect, name post, and widget post functions. This enables authenticated attackers with minimal permissions, such as subscribers, to update the plugin's settings.

Recommendations For versions up to 3.7, update to a version that includes the necessary capability checks to prevent unauthorized modification of data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-862

Identificadores relacionados

CVE-2023-2078

Produtos afetados

Buy Me A Coffee – Button/Widget Plugin

PT-2023-17636 · WordPress · Buy Me A Coffee – Button/Widget Plugin

CVE-2023-2078

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8