First published: Mon Nov 20 2023(Updated: )
The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the audio_merchant_save_settings function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Myaudiomerchant Audio Merchant | <=5.0.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-6197 is medium with a CVSS score of 5.4.
CVE-2023-6197 is a Cross-Site Request Forgery vulnerability in the Audio Merchant plugin for WordPress.
All versions up to and including 5.0.4 of the Audio Merchant plugin for WordPress are affected by CVE-2023-6197.
Attackers can exploit CVE-2023-6197 by performing Cross-Site Request Forgery attacks on the audio_merchant_save_settings function in the Audio Merchant plugin for WordPress.
To fix CVE-2023-6197, update the Audio Merchant plugin for WordPress to a version above 5.0.4 and ensure proper nonce validation on the audio_merchant_save_settings function.