CVE-2023-0889: TF Random Numbers < 2.0.1 - Subscriber+ Arbitrary Option Update
First published: Mon Apr 17 2023(Updated: )
Themeflection Numbers WordPress plugin before 2.0.1 does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the default role to administrator
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Metagauss Themeflection Numbers | <2.0.1 | |
| <2.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-0889.
What is the severity of CVE-2023-0889?
The severity of CVE-2023-0889 is medium with a severity value of 6.5.
What is the affected software for CVE-2023-0889?
The affected software for CVE-2023-0889 is the Themeflection Numbers WordPress plugin before version 2.0.1.
What is the impact of CVE-2023-0889?
CVE-2023-0889 allows authenticated users, such as subscribers, to update arbitrary blog options.
Is there a fix available for CVE-2023-0889?
There is currently no information available about a fix for CVE-2023-0889. It is recommended to update to a newer version of the plugin if one becomes available.
- collector/nvd-index
- agent/type
- agent/author
- agent/title
- agent/references
- agent/severity
- agent/weakness
- agent/first-publish-date
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/source
- agent/tags
- agent/event
- vendor/metagauss
- canonical/metagauss themeflection numbers