CVE-2023-0443
AnyWhere Elementor < 1.2.8 - Freemius API Key Disclosure
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The AnyWhere Elementor WordPress plugin before 1.2.8 discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked.
The AnyWhere Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.2.7 via the wpv_ae. This allowed anyone able to view the plugin repo to view a Freemius API Secret Key allowing them to purchase Freemius Pro using fake credit card numbers. The API Key has been revoked at this time. Note that this vulnerability does not directly impact WordPress sites.
*Credits:
Sanjay Das, WPScan
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-01-23 CVE Reserved
- 2023-05-02 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/471f3226-8f90-43d1-b826-f11ef4bbd602 | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wpvibes Search vendor "Wpvibes" | Anywhere Elementor Search vendor "Wpvibes" for product "Anywhere Elementor" | < 1.2.8 Search vendor "Wpvibes" for product "Anywhere Elementor" and version " < 1.2.8" | wordpress |
Affected
| ||||||