CVE-2023-0749

CWE-639Insecure Direct Object Reference3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.4%
top 37.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Ocean ExtraOceanwp Ocean Extra
Timeline
PublishedMar 13

Description

The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/ocean_extra< 2.1.3
NVDoceanwp/ocean_extra< 2.1.3

🔴Vulnerability Details

2
CVEList
Ocean Extra < 2.1.3 - Subscriber+ Arbitrary Post Content Disclosure2023-03-13
GHSA
GHSA-w72q-xj4x-r776: The Ocean Extra WordPress plugin before 22023-03-13
CVE-2023-0749 (MEDIUM CVSS 6.5) | The Ocean Extra WordPress plugin be | cvebase.io