CVE-2023-6741 — Improper Access Control in WP Customer Area

CWE-284 — Improper Access Control CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 63.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Marvinlabs WP Customer Area

Timeline

PublishedJan 16

Description

The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDmarvinlabs/wp_customer_area< 8.2.1

🔴Vulnerability Details

GHSA

GHSA-h7v4-v2xr-w9gx: The WP Customer Area WordPress plugin before 8↗2024-01-16

▶

CVEList

WP Customer Area < 8.2.1 - Subscriber+ Account Address Update↗2024-01-16

▶

GHSA

Cross-site Scripting (XSS) in Conditions tab of Pricing Rules↗2023-04-27

▶