CVE-2023-3277
🔴 Łataj teraz
Luka w wtyczce MStore API dla WordPressa umożliwia nieautoryzowany dostęp do konta.
CVSS
9.8
EPSS
38.7%
Exploit
none
Vendor
inspireui
Opis źródłowy (NVD)
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address.
privilege-escalation
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 38.7% |
| Opublikowano (NVD) | 2023-11-03 12:15:08 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-08 17:16:59 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821 (security@wordfence.com) [Product]
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2988788%40mstore-api%2Ftrunk&old=2985882%40mstore-api%2Ftrunk&sfp_email=&sfph_mail= (security@wordfence.com)
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1c7c0c35-5f44-488f-9fe1-269ea4a73854?source=cve (security@wordfence.com) [Third Party Advisory]