Privilege Escalation Vulnerability in WordPress
CVE-2023-1874

7.5HIGH

Key Information:

Vendor: WordPress
Status: WP Data Access
Vendor: CVE Published:; 12 April 2023

What is CVE-2023-1874?

The WP Data Access plugin for WordPress contains a vulnerability allowing users with minimal permissions to elevate their own user roles. This is due to insufficient authorization checks on the 'multiple_roles_update' function, particularly in versions up to and including 5.3.7. When the 'Enable role management' setting is activated on the site, authenticated attackers can exploit this weakness by modifying the 'wpda_role[]' parameter during a profile update, effectively granting themselves unauthorized privileges.

Affected Version(s)

WP Data Access * <= 5.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-data-access...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 12, 2023
Vulnerability Reserved
Apr 5, 2023

Credit

Chloe Chamberland

JSON