First published: Mon Oct 16 2023(Updated: )
The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector
Credit: contact@wpscan.com contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Automattic Activitypub | <1.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-3706 is a vulnerability in the ActivityPub WordPress plugin before version 1.0.0 that allows any authenticated user to retrieve the title of arbitrary posts through an IDOR vector.
CVE-2023-3706 allows any authenticated user, such as a subscriber, to retrieve the title of arbitrary posts, including draft and private posts.
The severity of CVE-2023-3706 is medium, with a CVSS score of 4.3.
To fix CVE-2023-3706, update the ActivityPub WordPress plugin to version 1.0.0 or later.
The Common Weakness Enumeration (CWE) ID for CVE-2023-3706 is CWE-639.