CVE-2023-1026Missing Authorization in WP Meta SEO

CWE-862Missing Authorization3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 52.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Joomunited WP Meta SEO
Timeline
PublishedFeb 28

Description

The WP Meta SEO plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the listPostsCategory function in versions up to, and including, 4.5.3. This makes it possible for authenticated attackers with subscriber-level access to get post listings by category as long as those posts are published. This vulnerability occurred as a result of the plugin relying on nonce checks as a means of access control, and that nonce being accessible to all authenticat

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5joomunited/wp_meta_seo4.5.3

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-vf57-68p7-g74c: The WP Meta SEO plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the listPostsCategory function2023-02-28
CVEList
WP Meta SEO <= 4.5.3 - Missing Authorization in 'listPostsCategory'2023-02-28
CVE-2023-1026 — Missing Authorization in WP Meta SEO | cvebase