CVE-2023-3706

Published: Oct 16, 2023Modified: Apr 23, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector

Affected (1)

Products: Automattic: Activitypub

Automattic

1 product

Activitypub

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Automattic Activitypub	Before 1.0.0

References (2)

https://wpscan.com/vulnerability/daa4d93a-f8b1-4809-a18e-8ab63a05de5a

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/daa4d93a-f8b1-4809-a18e-8ab63a05de5a

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.