CVE-2023-2494 - OpenCVE

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Granthweb	Go Pricing

Configuration 1 [-]

cpe:2.3:a:granthweb:go_pricing:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://codecanyon.net/item/go-pricing-wordpress-responsive-pricing-tables/3725820	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/5779914a-a168-4835-8aea-e0ab2b3be4f6?source=cve	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-05-23T23:36:47.546Z

Updated: 2023-05-23T23:36:47.546Z

Reserved: 2023-05-03T13:52:10.836Z

Link: CVE-2023-2494

JSON object: View

NVD Information

Status : Modified

Published: 2023-05-24T00:15:09.243

Modified: 2023-11-07T04:12:46.110

Link: CVE-2023-2494

JSON object: View

Redhat Information

No data.

CWE

CWE-862

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:granthweb:go_pricing:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8C7278DC-C10E-4220-955E-2053ECE2A533", "versionEndIncluding": "3.3.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege."}], "id": "CVE-2023-2494", "lastModified": "2023-11-07T04:12:46.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2023-05-24T00:15:09.243", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://codecanyon.net/item/go-pricing-wordpress-responsive-pricing-tables/3725820"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5779914a-a168-4835-8aea-e0ab2b3be4f6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}