iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin
CVE-2022-3911
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 2 January 2023
Badges
Summary
The iubenda WordPress plugin prior to version 3.3.3 contains a security issue where it lacks proper authorization checks and is vulnerable to Cross-Site Request Forgery (CSRF) in an AJAX action. This vulnerability allows authenticated users, including those with low-level roles like subscribers, to manipulate plugin options and grant themselves elevated privileges such as the ability to edit plugins. This presents a significant risk to WordPress sites using the plugin, as it can lead to unauthorized actions and compromise site integrity.
Affected Version(s)
iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more 0 < 3.3.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved