CVE-2023-0958
moderate-risk
Published 2023-07-28
Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to install select plugins from Inisev on vulnerable sites. CVE-2023-38514 appears to be a duplicate of this vulnerability.
Do I need to act?
-
0.22% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (11)
Clone
Duplicate Post
Enhanced Text Widget
Redirection
Rss Redirect \& Feedburner Alternative
Ssl Mixed Content Fix
Ultimate Posts Widget
Pop-Up
Social Share Icons \& Social Share Buttons
Social Media Share Buttons \& Social Sharing Icons
Affected Vendors
References (46)
and 26 more references
35
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
16/34 · Moderate