CVE-2023-6966

Published: Jun 6, 2024Modified: Apr 8, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: security@wordfence.com (Secondary)

Description

The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions.

Affected (1)

Products: Themoneytizer: The Moneytizer

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Themoneytizer The Moneytizer	Before 10.0.1

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (5)

https://plugins.trac.wordpress.org/browser/the-moneytizer/trunk/core/core_ajax.php

Source: security@wordfence.com

Patch

https://plugins.trac.wordpress.org/changeset/3099347/the-moneytizer/trunk/core/core_ajax.php?old=3038641&old_path=the-moneytizer%2Ftrunk%2Fcore%2Fcore_ajax.php

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve

Source: security@wordfence.com

Third Party Advisory

https://plugins.trac.wordpress.org/browser/the-moneytizer/trunk/core/core_ajax.php

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/71823e36-3899-4253-a1d2-c6f8921d18dc?source=cve

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.