Vulnerability Description
The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive user meta.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kylebjohnson | User Shortcodes Plus | <= 2.0.2 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/user-shortcodes-plus/trunk/includes/SProduct
- https://www.wordfence.com/threat-intel/vulnerabilities/id/76a0a87a-dff0-4a51-badThird Party Advisory
- https://plugins.trac.wordpress.org/browser/user-shortcodes-plus/trunk/includes/SProduct
- https://www.wordfence.com/threat-intel/vulnerabilities/id/76a0a87a-dff0-4a51-badThird Party Advisory
FAQ
What is CVE-2023-6969?
CVE-2023-6969 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a u...
How severe is CVE-2023-6969?
CVE-2023-6969 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-6969?
Check the references section above for vendor advisories and patch information. Affected products include: Kylebjohnson User Shortcodes Plus.