CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
The Postem Ipsum plugin for WordPress is vulnerable to unauthorized modification of data to Privilege Escalation due to a missing capability check on the postem_ipsum_generate_users() function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary user accounts with the administrator role.
Explanation of Vulnerability in Simple Terms
Postem Ipsum versions 3.0.1 and earlier lack proper authorization checks, allowing authenticated users to perform actions they should not have access to. An attacker with a low-privilege account can read, modify, or delete data without restriction. This affects confidentiality, integrity, and availability of the application.
What an attacker can do
Read, modify, or delete data without proper authorization checks.
Potential impact on your site
Authenticated users can access or modify data beyond their intended permissions, risking data breach and system compromise.
Conditions required to exploit
Attacker must have a valid low-privilege user account on the application.
Key dates
External resources
Related vulnerabilities
