CVE-2023-0993
published 2023-06-09CVE-2023-0993: The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.55%
41.8th percentile
The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getshieldsecurity | shield_security | <= 17.0.17 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Shield Security Plugin up to 17.0.17 on WordPress authorization
vuldb·2026-04-09·CVSS 4.3
CVE-2023-0993 [MEDIUM] Shield Security Plugin up to 17.0.17 on WordPress authorization
A vulnerability was found in Shield Security Plugin up to 17.0.17 on WordPress. It has been declared as critical. This affects an unknown part. The manipulation results in missing authorization.
This vulnerability is cataloged as CVE-2023-0993. The attack may be launched remotely. There is no exploit available.
GHSA
GHSA-5p6w-7m52-66g9: The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and includin
ghsa_unreviewed·2023-06-09·CVSS 7.2
CVE-2023-0993 [HIGH] CWE-862 GHSA-5p6w-7m52-66g9: The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and includin
The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2883864%40wp-simple-firewall%2Ftrunk&old=2883536%40wp-simple-firewall%2Ftrunk&sfp_email=&sfph_mail=https://wordpress.org/plugins/wp-simple-firewall/https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-shield-security/https://www.wordfence.com/threat-intel/vulnerabilities/id/674461ad-9b61-48c4-af2a-5dfcaeb38215?source=cvehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2883864%40wp-simple-firewall%2Ftrunk&old=2883536%40wp-simple-firewall%2Ftrunk&sfp_email=&sfph_mail=https://wordpress.org/plugins/wp-simple-firewall/https://www.wordfence.com/threat-intel/vulnerabilities/id/674461ad-9b61-48c4-af2a-5dfcaeb38215?source=cve
2023-06-09
Published