Vulnerability identifier: #VU25602
Vulnerability risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Pricing Table by Supsystic
Web applications /
Modules and components for CMS
Vendor: supsystic.com
Description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to insecure permissions on several AJAX actions. A remote attacker can obtain sensitive information regarding any given pricing table while creating and importing new pricing tables or altering already existing ones.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Pricing Table by Supsystic: 1.0.1 - 1.8.1
External links
http://www.wordfence.com/blog/2020/02/multiple-vulnerabilities-patched-in-pricing-table-by-supsysti...
http://www.youtube.com/watch?v=LhyQUbLt85c
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.