First published: Mon Nov 20 2023(Updated: )
The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the function audio_merchant_add_audio_file function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|Affected Software||Affected Version||How to fix|
|Myaudiomerchant Audio Merchant||<=5.0.4|
CVE-2023-6196 is a vulnerability found in the Audio Merchant plugin for WordPress, which allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks.
The severity of CVE-2023-6196 is high, with a CVSS score of 8.8.
All versions of the Audio Merchant plugin for WordPress up to and including 5.0.4 are affected by CVE-2023-6196.
Unauthenticated attackers can exploit CVE-2023-6196 by performing Cross-Site Request Forgery attacks on the audio_merchant_add_audio_file function, due to missing or incorrect nonce validation.
You can find more information about CVE-2023-6196 on the Wordfence threat intelligence page and the Audio Merchant plugin's source code on WordPress plugins repository.