CVE-2023-0583

low-risk

Published 2023-06-03

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_vk_blocks_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Vk Blocks

Affected Vendors

Vektor-Inc

References (5)

Patch https://plugins.trac.wordpress.org/browser/vk-blocks/trunk/inc/vk-blocks/App/Res...

https://plugins.trac.wordpress.org/changeset/2921566/vk-blocks/tags/1.57.1.0/inc...

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/12a94f5b-bc30-4a65-b39...

Patch https://plugins.trac.wordpress.org/browser/vk-blocks/trunk/inc/vk-blocks/App/Res...

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/12a94f5b-bc30-4a65-b39...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal