Vulnerability Description
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to update the plugins settings. CVE-2023-25030 may be a duplicate of this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Buymeacoffee | Buy Me A Coffee | < 3.8 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/buymeacoffee/trunk/admin/class-buy-meExploit
- https://plugins.trac.wordpress.org/browser/buymeacoffee/trunk/includes/class-buyExploit
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c1c218c6-1599-4dc9-846Third Party Advisory
- https://plugins.trac.wordpress.org/browser/buymeacoffee/trunk/admin/class-buy-meExploit
- https://plugins.trac.wordpress.org/browser/buymeacoffee/trunk/includes/class-buyExploit
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c1c218c6-1599-4dc9-846Third Party Advisory
FAQ
What is CVE-2023-2078?
CVE-2023-2078 is a vulnerability with a CVSS score of 7.3 (HIGH). The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post...
How severe is CVE-2023-2078?
CVE-2023-2078 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-2078?
Check the references section above for vendor advisories and patch information. Affected products include: Buymeacoffee Buy Me A Coffee.