Cross-Site Request Forgery Vulnerability in Audio Merchant Plugin for WordPress
CVE-2023-6197

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Audio Merchant
Vendor: CVE Published:; 20 November 2023

Summary

The Audio Merchant plugin for WordPress, present in all versions up to 5.0.4, has a vulnerability that allows unauthenticated attackers to exploit missing or incorrect nonce validation in the audio_merchant_save_settings function. By sending a forged request, an attacker can manipulate plugin settings and potentially insert malicious scripts. This exploitation requires the attacker to deceive a site administrator into executing a specific action, such as clicking a malicious link, which could compromise the security of the WordPress site.

Affected Version(s)

Audio Merchant * <= 5.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/audio-merchant...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 20, 2023
Vulnerability Reserved
Nov 17, 2023

Credit

Ala Arfaoui