CVE-2023-3999
Discription

The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on its AJAX calls in versions up to, and including, 0.6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create and delete countdowns as well as manipulate other plugin settings.Read More

References

https://plugins.trac.wordpress.org/browser/waiting/trunk/waiting.php?rev=2826039https://www.wordfence.com/threat-intel/vulnerabilities/id/293070c8-783f-404d-9250-392713703ce4?source=cve

6.5 Medium

CVSS2

  • Access Vector
  • Access Complexity
  • Authentication
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • Single
  • Partial
  • Partial
  • Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.3 Medium

CVSS3

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • Low
  • None
  • Unchanged
  • Low
  • Low
  • Low

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Back to Main
Subscribe for the latest news: