CVE-2023-6139
Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks.
El complemento Essential Real Estate de WordPress anterior a 4.4.0 no aplica comprobaciones de capacidad adecuadas en sus acciones AJAX, que, entre otras cosas, permiten a atacantes con una cuenta de suscriptor realizar ataques de denegación de servicio.
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the gsf_save_options AJAX action in all versions up to, and including, 4.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the plugin's settings which can lead to a denial of service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-14 CVE Reserved
- 2023-12-18 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-12-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/96396a22-f523-4c51-8b72-52be266988aa | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| G5plus Search vendor "G5plus" | Essential Real Estate Search vendor "G5plus" for product "Essential Real Estate" | < 4.4.0 Search vendor "G5plus" for product "Essential Real Estate" and version " < 4.4.0" | wordpress |
Affected
| ||||||