CVE-2023-5644
WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users.
El complemento WP Mail Log WordPress anterior a 1.1.3 no autoriza correctamente sus endpoint de API REST, lo que permite a los usuarios con el rol de Colaborador ver y eliminar datos a los que solo deberían tener acceso los usuarios administradores.
The WP Mail Log plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the check_permission() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with contributor-level access and above, to access REST routes that they should not have access to and delete data.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-10-18 CVE Reserved
- 2023-11-28 CVE Published
- 2024-09-25 First Exploit
- 2024-10-24 CVE Updated
- 2024-11-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/08f1d623-0453-4103-a9aa-2d0ddb6eb69e | 2024-09-25 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wpvibes Search vendor "Wpvibes" | Wp Mail Log Search vendor "Wpvibes" for product "Wp Mail Log" | < 1.1.3 Search vendor "Wpvibes" for product "Wp Mail Log" and version " < 1.1.3" | wordpress |
Affected
| ||||||