CVE-2023-2280

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_public' function in versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete or change plugin settings, import demo data, delete Directory Kit related posts and terms, and install arbitrary plugins. A partial patch was introduced in version 1.2.0 and an additional partial patch was introduced in version 1.2.2, but the issue was not fully patched until 1.2.3.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpdirectorykit:wp_directory_kit:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:58

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 6.5
References () https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/public/class-wpdirectorykit-public.php#L249 - Patch () https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/public/class-wpdirectorykit-public.php#L249 - Patch
References () https://plugins.trac.wordpress.org/changeset/2907164/ - Patch () https://plugins.trac.wordpress.org/changeset/2907164/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/abb1a758-5c16-4841-b1c7-0705ab16b328?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/abb1a758-5c16-4841-b1c7-0705ab16b328?source=cve - Third Party Advisory

15 Jun 2023, 15:25

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
CPE cpe:2.3:a:wpdirectorykit:wp_directory_kit:*:*:*:*:*:wordpress:*:*
References (MISC) https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/public/class-wpdirectorykit-public.php#L249 - (MISC) https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/public/class-wpdirectorykit-public.php#L249 - Patch
References (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/abb1a758-5c16-4841-b1c7-0705ab16b328?source=cve - (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/abb1a758-5c16-4841-b1c7-0705ab16b328?source=cve - Third Party Advisory
References (MISC) https://plugins.trac.wordpress.org/changeset/2907164/ - (MISC) https://plugins.trac.wordpress.org/changeset/2907164/ - Patch

09 Jun 2023, 06:16

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-09 06:16

Updated : 2024-11-21 07:58


NVD link : CVE-2023-2280

Mitre link : CVE-2023-2280

CVE.ORG link : CVE-2023-2280


JSON object : View

Products Affected

wpdirectorykit

  • wp_directory_kit
CWE

No CWE.