PT-2023-27963 · WordPress · Ban Users
István Márton
+1
·
Publicado
2023-09-12
·
Atualizado
2023-09-15
·
CVE-2023-4153
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
BAN Users plugin for WordPress versions up to, and including, 1.5.3
Description
The issue is related to a missing capability check on the
w3dev save ban user settings callback function, which allows authenticated attackers with minimal permissions to modify the plugin settings. This enables them to access the ban and unban functionality and set the role of the unbanned user.Recommendations
For versions up to, and including, 1.5.3, consider disabling the
w3dev save ban user settings callback function until a patch is available to prevent exploitation. Restrict access to the plugin settings to minimize the risk of unauthorized modifications.Correção
Incorrect Privilege Assignment
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Ban Users