CVE-2023-1979 MEDIUM

CVE-2023-1979: Auth bypass in Web Stories for WordPress plugin

Vendor Google

Product Web Stories for WordPress

Weakness CWE-863 · Incorrect authorization

Published May 8, 2023

Last update January 28, 2025

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Web Stories for WordPress plugin supports the WordPress built-in functionality of protecting content with a password. The content is then only accessible to website visitors after entering the password. In WordPress, users with the "Author" role can create stories, but don't have the ability to edit password protected stories. The vulnerability allowed users with said role to bypass this permission check when trying to duplicate the protected story in the plugin's own dashboard, giving them access to the seemingly protected content. We recommend upgrading to version 1.32 or beyond commit ad49781c2a35c5c92ef704d4b621ab4e5cb77d68 https://github.com/GoogleForCreators/web-stories-wp/commit/ad49781c2a35c5c92ef704d4b621ab4e5cb77d68

Key dates

02Disclosure timeline

May 8, 2023 CVE published

January 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1979

Related vulnerabilities

CVE-2023-1979: Auth bypass in Web Stories for WordPress plugin

01Description

02Disclosure timeline

03References

04Related CVE