CVE-2023-1979

CWE-863Incorrect Authorization3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 36.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google WEB Stories FOR WordpressGoogle WEB Stories
Timeline
PublishedMay 8
Latest updateJul 6

Description

The Web Stories for WordPress plugin supports the WordPress built-in functionality of protecting content with a password. The content is then only accessible to website visitors after entering the password. In WordPress, users with the "Author" role can create stories, but don't have the ability to edit password protected stories. The vulnerability allowed users with said role to bypass this permission check when trying to duplicate the protected story in the plugin's own dashboard, giving them

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDgoogle/web_stories< 1.32.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-p77r-crfj-p4f9: The Web Stories for WordPress plugin supports the WordPress built-in functionality of protecting content with a password2023-07-06
CVEList
Auth bypass in Web Stories for WordPress plugin2023-05-08
CVE-2023-1979 (MEDIUM CVSS 6.5) | The Web Stories for WordPress plugi | cvebase.io