Unauthorized Access Vulnerability in WP Extra Plugin for WordPress
CVE-2023-5314

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: WP EXtra
Vendor: CVE Published:; 22 November 2023

Summary

The WP Extra plugin for WordPress contains a vulnerability that enables authenticated attackers, even with minimal permissions such as a subscriber role, to bypass necessary capability checks within the 'test-email' functionality of the register() method. This security flaw can lead to the exploitation of the site's mail server, allowing malicious users to send emails with arbitrary content to any destination, potentially resulting in spam or phishing attacks.

Affected Version(s)

WP EXtra * <= 6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2977703/wp-e...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
Sep 29, 2023

Credit

TP Cyber Security