Improper access control in wpCentral plugin for WordPress
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-9043 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
wpCentral Web applications / Modules and components for CMS |
| Vendor | Softaculous Ltd. |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper access control
EUVDB-ID: #VU25411
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-9043
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in place to protect the connection key as it was displayed in the "admin_footer" in a modal dialog. A remote authenticated attacker can bypass implemented security restrictions and gain administrator access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionswpCentral: 1.0 - 1.5.0
External linkshttp://plugins.trac.wordpress.org/changeset?&old=2244363%40wp-central&new=2244363%40wp-central
http://wordpress.org/plugins/wp-central/#developers
http://wpvulndb.com/vulnerabilities/10074
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
