Cross-Site Request Forgery in Audio Merchant Plugin for WordPress
CVE-2023-6196

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Audio Merchant
Vendor: CVE Published:; 20 November 2023

Summary

The Audio Merchant plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability, present in all versions up to and including 5.0.4. This issue arises from inadequate nonce validation within the function responsible for adding audio files. By exploiting this vulnerability, unauthenticated attackers could potentially upload arbitrary files, provided they can deceive a site administrator into executing a crafted request, such as clicking a malicious link.

Affected Version(s)

Audio Merchant * <= 5.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/audio-merchant...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 20, 2023
Vulnerability Reserved
Nov 17, 2023

Credit

Ala Arfaoui