Vulnerability Description
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Instawp | Instawp Connect | <= 0.0.9.18 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includePatch
- https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5Patch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-865Third Party Advisory
- https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.0.9.18/includePatch
- https://plugins.trac.wordpress.org/changeset/2942363/instawp-connect#file5Patch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/48e7acf2-61d4-4762-865Third Party Advisory
FAQ
What is CVE-2023-3956?
CVE-2023-3956 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in vers...
How severe is CVE-2023-3956?
CVE-2023-3956 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-3956?
Check the references section above for vendor advisories and patch information. Affected products include: Instawp Instawp Connect.