First published: Mon Nov 20 2023(Updated: )
The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the function audio_merchant_add_audio_file function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Myaudiomerchant Audio Merchant | <=5.0.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-6196 is a vulnerability found in the Audio Merchant plugin for WordPress, which allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks.
The severity of CVE-2023-6196 is high, with a CVSS score of 8.8.
All versions of the Audio Merchant plugin for WordPress up to and including 5.0.4 are affected by CVE-2023-6196.
Unauthenticated attackers can exploit CVE-2023-6196 by performing Cross-Site Request Forgery attacks on the audio_merchant_add_audio_file function, due to missing or incorrect nonce validation.
You can find more information about CVE-2023-6196 on the Wordfence threat intelligence page and the Audio Merchant plugin's source code on WordPress plugins repository.