CVE-2023-5235
Ovic Responsive WPBakery < 1.2.9 - Subscriber+ Option Update
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.8EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
08 Jan 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Ovic Responsive WPBakery