Cross-Site Request Forgery in Audio Merchant Plugin for WordPress
CVE-2023-6196

8.8HIGH

Key Information:

Vendor

Wordpress
Status
Audio Merchant
Vendor
CVE Published:
20 November 2023

What is CVE-2023-6196?

The Audio Merchant plugin for WordPress suffers from a Cross-Site Request Forgery vulnerability, present in all versions up to and including 5.0.4. This issue arises from inadequate nonce validation within the function responsible for adding audio files. By exploiting this vulnerability, unauthenticated attackers could potentially upload arbitrary files, provided they can deceive a site administrator into executing a crafted request, such as clicking a malicious link.

Affected Version(s)

Audio Merchant * <= 5.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/audio-merchant...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ala Arfaoui
.