CVE-2023-2172

Name of the Vulnerable Software and Affected Versions BadgeOS plugin for WordPress versions up to, and including, 3.7.1.6

Description The issue is due to improper validation and authorization checks within the badgeos update steps ajax handler, badgeos update award steps ajax handler, badgeos update deduct steps ajax handler, and badgeos update ranks req steps ajax handler functions. This allows authenticated attackers with subscriber-level permissions and above to overwrite arbitrary post titles.

Recommendations For versions up to, and including, 3.7.1.6, consider disabling the badgeos update steps ajax handler, badgeos update award steps ajax handler, badgeos update deduct steps ajax handler, and badgeos update ranks req steps ajax handler functions until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.