Authorization Bypass Vulnerability in Waiting Plugin for WordPress
CVE-2023-3999

6.3MEDIUM

Key Information:

Vendor
WordPress
Status
Waiting: One-click Countdowns
Vendor
CVE Published:
31 August 2023

Summary

The Waiting: One-click countdowns plugin for WordPress has a significant vulnerability due to insufficient capability checks in its AJAX calls. This flaw allows authenticated users with subscriber-level permissions and above to create, delete countdowns and alter other plugin settings, compromising the integrity of the site. It affects versions up to and including 0.6.2.

Affected Version(s)

Waiting: One-click countdowns * <= 0.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/waiting/trunk/...

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.