Sensitive Information Exposure in WP Customer Reviews Plugin by WordPress
CVE-2023-4686

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Customer Reviews
Vendor: CVE Published:; 22 November 2023

Summary

The WP Customer Reviews plugin for WordPress is susceptible to a sensitive information exposure vulnerability in versions up to 3.6.6. This flaw allows authenticated attackers to access sensitive data, such as post titles and slugs, including those from protected and trashed posts, as well as other content types like galleries. By exploiting the ajax_enabled_posts function, an attacker can potentially compromise the data integrity and confidentiality of the WordPress site. Website owners using this plugin must apply the latest updates and review their access controls to mitigate risks.

Affected Version(s)

WP Customer Reviews * <= 3.6.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-customer-re...

https://plugins.trac.wordpress.org/changeset/2965656/wp-c...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
Aug 31, 2023

Credit

Marco Wotschka