CVE-2023-5945

low-risk
Published 2023-11-03

The video carousel slider with lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the responsive_video_gallery_with_lightbox_video_management_func() function. This makes it possible for unauthenticated attackers to delete videos hosted from the video slider via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Do I need to act?

-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Video Carousel Slider With Lightbox

Affected Vendors

I13Websolution

References (6)

Exploit https://github.com/wp-plugins/wp-responsive-video-gallery-with-lightbox/blob/mas...
Patch https://plugins.trac.wordpress.org/browser/wp-responsive-video-gallery-with-ligh...
Patch https://www.wordfence.com/threat-intel/vulnerabilities/id/dc052b00-65a7-4668-8bd...
Exploit https://github.com/wp-plugins/wp-responsive-video-gallery-with-lightbox/blob/mas...
Patch https://plugins.trac.wordpress.org/browser/wp-responsive-video-gallery-with-ligh...
Patch https://www.wordfence.com/threat-intel/vulnerabilities/id/dc052b00-65a7-4668-8bd...
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal