CVE-2023-1414

CWE-352 — Cross-Site Request Forgery (CSRF)CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 80.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown WP VR Rextheme WP VR

Timeline

PublishedApr 24

Description

The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5unknown/wp_vr< 8.3.0

▶NVDrextheme/wp_vr< 8.3.0

🔴Vulnerability Details

CVEList

WP VR < 8.3.0 - Subscriber+ Arbitrary Tour Update↗2023-04-24

▶

GHSA

GHSA-fcw3-646c-pcmv: The WP VR WordPress plugin before 8↗2023-04-24

▶