CVE-2023-6029 — Missing Authorization in Eazydocs

CWE-862 — Missing Authorization CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 73.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spider-themes Eazydocs

Timeline

PublishedJan 15

Description

The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDspider-themes/eazydocs< 2.3.6

🔴Vulnerability Details

GHSA

GHSA-2c3v-6gcr-6f8h: The EazyDocs WordPress plugin before 2↗2024-01-15

▶

CVEList

EazyDocs < 2.3.6 - Unauthenticated Arbitrary Posts Deletion and Document Management↗2024-01-15

▶