Sensitive Information Exposure in Leyka Plugin for WordPress
CVE-2023-4917

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Leyka
Vendor: CVE Published:; 13 September 2023

Summary

The Leyka plugin for WordPress presents a serious vulnerability in versions up to 3.30.3, allowing authenticated users with subscriber-level permissions or above to exploit the 'leyka_ajax_get_env_and_options' function. This critical flaw enables attackers to retrieve sensitive information, including Sberbank API keys and passwords, as well as PayPal Client Secrets. Website administrators must act swiftly to update the plugin to secure their environments and protect their users' sensitive data from being compromised.

Affected Version(s)

Leyka * <= 3.30.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/leyka/tags/3.3...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 13, 2023
Vulnerability Reserved
Sep 12, 2023

Credit

Lana Codes