CVE-2023-5884
Word Balloon < 4.20.3 - Avatar Removal via CSRF
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Word Balloon WordPress plugin before 4.20.3 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link.
El complemento Word Balloon de WordPress anterior a 4.20.3 no protege algunas de sus acciones contra ataques CSRF, lo que permite a un atacante no autenticado engañar a un usuario que ha iniciado sesión para que elimine avatares arbitrarios haciendo clic en un enlace.
The Word Balloon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.20.2. This is due to missing or incorrect nonce validation on the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary avatars via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-10-31 CVE Reserved
- 2023-11-13 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2025-01-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/f4a7937c-6f4b-49dd-b88a-67ebe718ad19 | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Back2nature Search vendor "Back2nature" | Word Balloon Search vendor "Back2nature" for product "Word Balloon" | < 4.20.3 Search vendor "Back2nature" for product "Word Balloon" and version " < 4.20.3" | wordpress |
Affected
| ||||||