Sensitive Information Exposure in User Registration Plugin for WordPress
CVE-2023-3371

5.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Embedpress – Embed PDF, Youtube, Google Docs, Vimeo, Wistia Videos, AudiOS, Maps & Any Documents In Gutenberg & Elementor
Vendor
CVE Published:
27 June 2023

Summary

The User Registration plugin for WordPress suffers from a vulnerability that allows attackers to expose sensitive information due to a hardcoded encryption key in the 'lock_content_form_handler' and 'display_password_form' functions. This flaw affects versions up to and including 3.7.3, enabling unauthenticated users to decrypt and gain access to password-protected content without authorization. Users are advised to update their plugin to mitigate the risk associated with this vulnerability.

Affected Version(s)

EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor * <= 3.7.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/embedpress/tag...
https://plugins.trac.wordpress.org/browser/embedpress/tag...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.