CVE-2023-5417
Funnelforms Free <= 3.4 - Missing Authorization to Category Update
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID.
El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_update_category en versiones hasta la 3.4 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, modifiquen la categoría Funnelforms para una ID de publicación determinada.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-04 CVE Reserved
- 2023-11-01 CVE Published
- 2024-08-02 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://www.wordfence.com/threat-intel/vulnerabilities/id/148794ea-3bc9-4084-bdb9-6ee63a781a39?source=cve | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free | 2023-11-27 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Funnelforms Search vendor "Funnelforms" | Funnelforms Search vendor "Funnelforms" for product "Funnelforms" | <= 3.4 Search vendor "Funnelforms" for product "Funnelforms" and version " <= 3.4" | free, wordpress |
Affected
|