CVE-2023-6506
4.3
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Exploitability: 2.8 / Impact: 1.4
Source: NVD
Description
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.
Affected (1)
Products: Wpwhitesecurity: Wp 2fa
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Up to 2.5.0 |
Related CWEs
CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-732
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
References (6)
Source: security@wordfence.com
Third Party Advisory
Source: security@wordfence.com
Patch
Source: security@wordfence.com
ProductThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
ProductThird Party Advisory
Timeline
No history available yet.