Missing Authorization Vulnerability in Shield Security Plugin by WordPress
CVE-2023-0993

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Shield Security – Smart Bot Blocking & Intrusion Prevention
Vendor: CVE Published:; 9 June 2023

Summary

The Shield Security plugin for WordPress is susceptible to a Missing Authorization issue on the 'theme-plugin-file' AJAX action in versions up to and including 17.0.17. This vulnerability enables attackers with authenticated access to insert arbitrary audit log entries, falsely indicating edits to themes or plugins. Furthermore, it serves as an attack vector for Cross-Site Scripting (XSS), which can lead to further exploitation within the application.

Affected Version(s)

Shield Security – Smart Bot Blocking & Intrusion Prevention * < 17.0.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wp-simple-firewall/

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 9, 2023
Vulnerability Reserved
Feb 23, 2023

Credit

Ramuel Gall