CVE-2023-1871 - OpenCVE

The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the deleteLang function. This makes it possible for unauthenticated attackers to reset the plugin's quick language translation settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Plugin	Yourchannel

Configuration 1 [-]

cpe:2.3:a:plugin:yourchannel:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://plugins.trac.wordpress.org/browser/yourchannel/trunk/YourChannel.php?rev=2844975#L505	Patch
https://wordpress.org/plugins/yourchannel/	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f7ae863c-4638-49ab-bb1f-52346884c3aa?source=cve	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-04-05T13:25:27.638Z

Updated: 2023-04-05T13:25:27.638Z

Reserved: 2023-04-05T13:25:18.361Z

Link: CVE-2023-1871

JSON object: View

NVD Information

Status : Modified

Published: 2023-04-05T14:15:07.420

Modified: 2023-11-07T04:05:15.950

Link: CVE-2023-1871

JSON object: View

Redhat Information

No data.

CWE

No CWE.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plugin:yourchannel:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B6B01621-9BF4-4C88-997E-DCF7294A2508", "versionEndIncluding": "1.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the deleteLang function. This makes it possible for unauthenticated attackers to reset the plugin's quick language translation settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2023-1871", "lastModified": "2023-11-07T04:05:15.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2023-04-05T14:15:07.420", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/browser/yourchannel/trunk/YourChannel.php?rev=2844975#L505"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/yourchannel/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f7ae863c-4638-49ab-bb1f-52346884c3aa?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified"}