Main Vulnerability Database SB2023062335

SB2023062335 - Improper Authorization in CMS Commander plugin for WordPress

Published: June 23, 2023

Security Bulletin ID SB2023062335

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Authorization (CVE-ID: CVE-2023-3325)

The vulnerability allows a remote attacker to bypass the authorization mechanisms.

The vulnerability exists due to insufficiently unique cryptographic signature in the cmsc_add_site function. A remote attacker can change the _cmsc_public_key in the plugin configurations.

Remediation

Install update from vendor's website.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca37d453-9f9a-46b2-a17f-65a16e3e2ed1?source=cve
https://plugins.trac.wordpress.org/browser/cms-commander-client/tags/2.287/init.php#L88
https://plugins.trac.wordpress.org/changeset/2927811/cms-commander-client