Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-0889

Themeflection Numbers WordPress plugin before 2.0.1 does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the default role to administrator

Published

2023-04-17T13:15:37.997

Last Modified

2025-02-06T16:15:32.280

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	metagauss	themeflection_numbers	< 2.0.1	Yes

References

https://wpscan.com/vulnerability/c39473a7-47fc-4bce-99ad-28d03f41e74e Exploit, Third Party Advisory ([email protected])
https://wpscan.com/vulnerability/c39473a7-47fc-4bce-99ad-28d03f41e74e Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)