// For flags

CVE-2023-7199

Relevanssi (Free < 4.22.0, Premium < 2.25.0) - Unauthenticated Private/Draft Post Disclosure

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request

Los complementos Relevanssi de WordPress anterior a 4.22.0 y Relevanssi Premium de WordPress anterior a 2.25.0 permite a cualquier usuario no autenticado leer borradores y publicaciones privadas a través de una solicitud manipulada

The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to insufficient limitation of a user controlled key in all versions up to, and including, 4.21.2 (Free) and < 2.25.0 (Premium). This makes it possible for unauthenticated attackers to view private and draft posts that may contain sensitive information.

*Credits: Krzysztof Zając (CERT PL), WPScan
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-01-02 CVE Reserved
  • 2024-01-04 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-08-02 First Exploit
  • 2024-08-13 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-639: Authorization Bypass Through User-Controlled Key
  • CWE-862: Missing Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Relevanssi
Search vendor "Relevanssi"
Relevanssi
Search vendor "Relevanssi" for product "Relevanssi"
<= 2.25.0
Search vendor "Relevanssi" for product "Relevanssi" and version " <= 2.25.0"
wordpress
Affected