CVE-2024-0248 — Missing Authorization in Eazydocs

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

CNA7.5

EPSS

0.3%

top 49.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spider-themes Eazydocs

Timeline

PublishedFeb 12

Description

The EazyDocs WordPress plugin before 2.4.0 re-introduced CVE-2023-6029 (https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/) in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDspider-themes/eazydocs< 2.4.0

🔴Vulnerability Details

GHSA

GHSA-xmp6-3vj6-r6rw: The EazyDocs WordPress plugin before 2↗2024-02-12

▶

CVEList

EazyDocs < 2.4.0 - Subscriber+ Arbitrary Posts Deletion and Document Management↗2024-02-12

▶