Podatność CVE-2023-0550


Publikacja: 2023-01-27

Opis:
The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts.

W naszej bazie, znaleźliśmy następujące noty dla tego CVE:
Tytuł
Autor
Data
Med.
WordPress Quick Restaurant 2.0.2 XSS / CSRF / IDOR / Missing Authorization
Marco Wotschka
02.02.2023

Typ:

CWE-639

(Authorization Bypass Through User-Controlled Key)

 Referencje:
https://plugins.trac.wordpress.org/browser/quick-restaurant-menu/tags/2.0.2/includes/admin/ajax-functions.php
https://plugins.trac.wordpress.org/changeset/2851871/quick-restaurant-menu/trunk?contextall=1&old=2788636&old_path=%2Fquick-restaurant-menu%2Ftrunk
https://www.wordfence.com/threat-intel/vulnerabilities/id/faa4fba5-cd19-4b96-aa09-07ed6d52a107

Copyright 2024, cxsecurity.com

 

Back to Top