CVE-2023-6824

CWE-639Insecure Direct Object Reference3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.5%
top 33.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown WP Customer AreaMarvinlabs WP Customer Area
Timeline
PublishedJan 16

Description

The WP Customer Area WordPress plugin before 8.2.1 does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/wp_customer_area< 8.2.1

🔴Vulnerability Details

2
CVEList
WP Customer Area < 8.2.1 - Subscriber+ Account Address Leak2024-01-16
GHSA
GHSA-hw85-hp8p-j3g9: The WP Customer Area WordPress plugin before 82024-01-16
CVE-2023-6824 (MEDIUM CVSS 6.5) | The WP Customer Area WordPress plug | cvebase.io