CVE-2023-3707

Published: Oct 16, 2023Modified: Apr 23, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector. Password protected posts are not affected by this issue.

Affected (1)

Products: Automattic: Activitypub

Automattic

1 product

Activitypub

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Automattic Activitypub	Before 1.0.0

References (2)

https://wpscan.com/vulnerability/541bbe4c-3295-4073-901d-763556269f48

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/541bbe4c-3295-4073-901d-763556269f48

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.