CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR

https://notcve.org/view.php?id=CVE-2023-3601

The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. The Simple Author Box plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.51. This is due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level permissions and above, to expose sensitive user information. • https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f • CWE-639: Authorization Bypass Through User-Controlled Key •