CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete LinkedIn post data stored in the site's options table.
Explanation of Vulnerability in Simple Terms
Company Posts for LinkedIn versions 1.0.0 and earlier lack proper authorization checks. An authenticated user with low privileges can modify content they should not have access to. The vulnerability requires a valid user account but no special interaction. Update to a version newer than 1.0.0.
What an attacker can do
Modify or alter content belonging to other users or restricted areas of the application.
Potential impact on your site
Unauthorized users can alter posts or content they should not be able to edit, risking data integrity.
Conditions required to exploit
Attacker must have a valid user account with low-level privileges on the site.
Key dates
External resources
Related vulnerabilities
