CVE-2023-5713

The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bowo:system_dashboard:*:*:*:*:*:wordpress:*:*

History

11 Dec 2023, 17:51

Type Values Removed Values Added
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/e9d1a33b-2518-48f7-90b6-a94a34473d1e?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/e9d1a33b-2518-48f7-90b6-a94a34473d1e?source=cve - Third Party Advisory
References () https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L6357 - () https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L6357 - Patch
References () https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L6341 - () https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L6341 - Patch
CPE cpe:2.3:a:bowo:system_dashboard:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
CWE CWE-862

07 Dec 2023, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-07 02:15

Updated : 2024-02-05 00:22


NVD link : CVE-2023-5713

Mitre link : CVE-2023-5713

CVE.ORG link : CVE-2023-5713


JSON object : View

Products Affected

bowo

  • system_dashboard
CWE
CWE-862

Missing Authorization