CVE-2020-35934 MEDIUM

CVE-2020-35934

Vendor N/A
Product n/a
Published January 1, 2021
Last update August 4, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:N

What the vulnerability does

01Description

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not supposed to have (e.g., custom metadata added by a different plugin).

Key dates

02Disclosure timeline

January 1, 2021 CVE published
August 4, 2024 Record updated