CVE-2023-38513
WordPress Photo Engine Plugin <= 6.2.5 is vulnerable to Insecure Direct Object References (IDOR)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5.
Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en Jordy Meow Photo Engine (Media Organizer & Lightroom). Este problema afecta a Photo Engine (Media Organizer & Lightroom): desde n/a hasta 6.2.5.
The Photo Engine plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.2.5. This is due to missing validation on a user controlled key within the ajax_generate_auth_token function. This makes it possible for unauthenticated attackers to generate authentication tokens on behalf of another user.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-07-18 CVE Reserved
- 2023-07-20 CVE Published
- 2023-12-29 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-639: Authorization Bypass Through User-Controlled Key
CAPEC
References (1)
URL | Tag | Source |
---|---|---|
https://patchstack.com/database/vulnerability/wplr-sync/wordpress-photo-engine-plugin-6-2-5-insecure-direct-object-references-idor?_s_id=cve | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Meowapps Search vendor "Meowapps" | Photo Engine Search vendor "Meowapps" for product "Photo Engine" | < 6.2.6 Search vendor "Meowapps" for product "Photo Engine" and version " < 6.2.6" | wordpress |
Affected
|