CVE-2023-6741
published 2024-01-16CVE-2023-6741: The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit…
PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.39%
31.3th percentile
The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| marvinlabs | wp_customer_area | < 8.2.1 | 8.2.1 |
| pimcore | pimcore | >= 0 < 10.5.21 | 10.5.21 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h7v4-v2xr-w9gx: The WP Customer Area WordPress plugin before 8
ghsa_unreviewed·2024-01-16
CVE-2023-6741 [MEDIUM] GHSA-h7v4-v2xr-w9gx: The WP Customer Area WordPress plugin before 8
The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.
GHSA
Cross-site Scripting (XSS) in Conditions tab of Pricing Rules
ghsa·2023-04-27
CVE-2023-2332 [MEDIUM] CWE-79 Cross-site Scripting (XSS) in Conditions tab of Pricing Rules
Cross-site Scripting (XSS) in Conditions tab of Pricing Rules
### Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
### Patches
Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/a4491551967d879141a3fdf0986a9dd3d891abfe.patch
### Workarounds
Apply patch https://github.com/pimcore/pimcore/commit/a4491551967d879141a3fdf0986a9dd3d891abfe.patch manually.
### References
https://huntr.dev/bounties/e436ed71-6741-4b30-89db-f7f3de4aca2c/
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-01-16
Published