What the vulnerability does
01Description
Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
Missing Authorization vulnerability in tstephenson WP-CORS wp-cors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CORS: from n/a through <= 0.2.2.
Explanation of Vulnerability in Simple Terms
WP-CORS versions 0.2.2 and earlier lack proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter settings or content through the plugin's API endpoints. The vulnerability requires valid login credentials but does not require user interaction beyond authentication.
What an attacker can do
Modify plugin settings or data without proper permission checks.
Potential impact on your site
Unauthorized users can alter WP-CORS configuration or related data, potentially affecting site functionality or security posture.
Conditions required to exploit
Valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).
Key dates
External resources