PT-2023-17636 · WordPress · Buy Me A Coffee – Button/Widget Plugin

István Márton

Published

2023-07-11

Updated

2023-07-18

CVE-2023-2078

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Buy Me a Coffee – Button and Widget Plugin versions up to 3.7

Description The issue allows unauthorized modification of data due to missing capability checks on the recieve post, bmc disconnect, name post, and widget post functions. This enables authenticated attackers with minimal permissions, such as subscribers, to update the plugin's settings.

Recommendations For versions up to 3.7, update to a version that includes the necessary capability checks to prevent unauthorized modification of data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2023-2078

Affected Products

Buy Me A Coffee – Button/Widget Plugin

PT-2023-17636 · WordPress · Buy Me A Coffee – Button/Widget Plugin

CVE-2023-2078

Weakness Enumeration

Related Identifiers

Affected Products

References · 8