CVE-2023-4939

Name of the Vulnerable Software and Affected Versions SALESmanago plugin for WordPress versions up to, and including, 3.2.4

Description The issue is due to the use of a weak authentication token for the "/wp-json/salesmanago/v1/callbackApiV3" API endpoint, which is a SHA1 hash of the site URL and client id found in the page source of the website. This allows unauthenticated attackers to inject arbitrary content into the log files. When combined with another issue, this could have significant consequences.

Recommendations For versions up to, and including, 3.2.4, update to a version that addresses this issue. As a temporary workaround, consider restricting access to the "/wp-json/salesmanago/v1/callbackApiV3" API endpoint until a patch is available.