Information Disclosure Vulnerability in FULL - Customer Plugin for WordPress
CVE-2023-4242

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: FULL – Customer
Vendor: CVE Published:; 9 August 2023

Summary

The FULL - Customer plugin for WordPress suffers from an information disclosure vulnerability through the /health REST route in versions up to and including 2.2.3. This flaw arises due to improper authorization checks, allowing authenticated attackers with subscriber-level permissions or higher to access sensitive site configuration details exposed by the WordPress health check feature. If exploited, this vulnerability can lead to the leakage of critical information that may aid in further attacks against the affected website.

Affected Version(s)

FULL – Customer * <= 2.2.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/full-customer/...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 9, 2023
Vulnerability Reserved
Aug 8, 2023

Credit

Ramuel Gall