Moneytizer Plugin Vulnerable to Data Theft and Modification
CVE-2023-6966
8.1HIGH
Summary
The Moneytizer plugin for WordPress is susceptible to significant security issues due to inadequate capability checks on multiple AJAX functions located in the /core/core_ajax.php file. This vulnerability potentially allows authenticated attackers, with at least subscriber access, to gain unauthorized access to sensitive data, modify existing data, and even lose crucial information. Attackers could exploit this flaw to update and retrieve sensitive billing and banking details, alter the plugin's settings, and manipulate language settings along with other less severe actions. Proper security measures and updates are imperative to mitigate the risks associated with this vulnerability.
Affected Version(s)
The Moneytizer * <= 9.5.20
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Credit
Francesco Carlucci