Vulnerability Description
The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apusthemes | Wp Private Messaging | < 1.0.6 |
References
- https://themeforest.net/item/superio-job-board-wordpress-theme/32180231Product
- https://wpscan.com/vulnerability/f915e5ac-e216-4d1c-aec1-c3be11e2a6deExploitThird Party Advisory
- https://themeforest.net/item/superio-job-board-wordpress-theme/32180231Product
- https://wpscan.com/vulnerability/f915e5ac-e216-4d1c-aec1-c3be11e2a6deExploitThird Party Advisory
FAQ
What is CVE-2023-0453?
CVE-2023-0453 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. ...
How severe is CVE-2023-0453?
CVE-2023-0453 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-0453?
Check the references section above for vendor advisories and patch information. Affected products include: Apusthemes Wp Private Messaging.