CVE-2023-0911

Published: Mar 20, 2023Modified: Feb 25, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The WordPress Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 5.12.8 does not validate the user meta to be retrieved via the user shortcode, allowing any authenticated users such as subscriber to retrieve arbitrary user meta (except the user_pass), such as the user email and activation key by default.

Affected (1)

Products: Getshortcodes: Shortcodes Ultimate

1 product

Shortcodes Ultimate

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Getshortcodes Shortcodes Ultimate	Before 5.12.8

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://wpscan.com/vulnerability/35404d16-7213-4293-ac0d-926bd6c17444

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/35404d16-7213-4293-ac0d-926bd6c17444

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.