Unauthorized Data Modification in Easy Social Feed Plugin by WordPress
CVE-2023-6883

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vendor: CVE Published:; 11 January 2024

Summary

The Easy Social Feed plugin for WordPress has a vulnerability that allows authenticated attackers with subscriber access or higher to modify sensitive plugin settings. This arises from insufficient checks on multiple AJAX functions, permitting unauthorized actions. Attackers could potentially alter Facebook and Instagram access tokens and update group IDs, posing significant risks to security and data integrity.

Affected Version(s)

Easy Social Feed – Social Photos Gallery – Post Feed – Like Box * <= 6.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3012165/easy...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 11, 2024
Vulnerability Reserved
Dec 16, 2023

Credit

Lucio Sá