Insecure Direct Object Reference in BadgeOS Plugin for WordPress
CVE-2023-2172

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Badgeos
Vendor: CVE Published:; 31 August 2023

Summary

The BadgeOS plugin for WordPress is susceptible to Insecure Direct Object Reference due to insufficient validation and authorization checks in several functions. This allows authenticated users with subscriber-level access or higher to manipulate post titles illegitimately. The vulnerability exists in version 3.7.1.6 and earlier, where functions such as badgeos_update_steps_ajax_handler and others fail to adequately restrict access, exposing the system to potential misuse.

Affected Version(s)

BadgeOS * <= 3.7.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/badgeos/trunk/...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 31, 2023
Vulnerability Reserved
Apr 18, 2023

Credit

Alex Thomas