CVE-2023-3063 Information
Jul 01, 2023
cve
Description
The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to and including 4.67. This is due to the plugin providing user-controlled access to objects letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above to change user passwords and potentially take over administrator accounts.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reference
https://plugins.trac.wordpress.org/browser/sp-client-document-manager/trunk/classes/ajax.php#L149 https://www.wordfence.com/threat-intel/vulnerabilities/id/6dc2e720-85d9-42d9-94ef-eb172425993d?source=cve
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: