CVE-2023-6966 HIGH

CVE-2023-6966: The Moneytizer <= 9.6.3 - Missing Authorization via multiple AJAX actions

Vendor Lvaudore

Product The Moneytizer

Weakness CWE-284

Published June 6, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions.

Key dates

02Disclosure timeline

June 6, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-6966 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2023-6966: The Moneytizer <= 9.6.3 - Missing Authorization via multiple AJAX actions

01Description

02Disclosure timeline

03References

04Related CVE