CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange.
Explanation of Vulnerability in Simple Terms
Password Policy Manager versions up to 2.0.5 lack proper authorization checks, allowing authenticated users to modify settings they should not have access to. An attacker with low-level account privileges can alter password policies or manager configurations without proper permission validation. The vulnerability requires an existing user account but does not require administrative rights.
What an attacker can do
Modify password policies or manager settings without proper authorization.
Potential impact on your site
Unauthorized users can change password policies, potentially weakening security or disrupting legitimate user access.
Conditions required to exploit
Attacker must have a valid low-privilege user account on the site.
Key dates
External resources
Related vulnerabilities
