First published: Mon Nov 20 2023(Updated: )
The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the audio_merchant_save_settings function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
|Affected Software||Affected Version||How to fix|
|Myaudiomerchant Audio Merchant||<=5.0.4|
The severity of CVE-2023-6197 is medium with a CVSS score of 5.4.
CVE-2023-6197 is a Cross-Site Request Forgery vulnerability in the Audio Merchant plugin for WordPress.
All versions up to and including 5.0.4 of the Audio Merchant plugin for WordPress are affected by CVE-2023-6197.
Attackers can exploit CVE-2023-6197 by performing Cross-Site Request Forgery attacks on the audio_merchant_save_settings function in the Audio Merchant plugin for WordPress.
To fix CVE-2023-6197, update the Audio Merchant plugin for WordPress to a version above 5.0.4 and ensure proper nonce validation on the audio_merchant_save_settings function.