CVE-2023-0385

CVSS V2 None CVSS V3 None
Description
The Custom 404 Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.7.1. This is due to missing or incorrect nonce validation on the custom_404_pro_admin_init function. This makes it possible for unauthenticated attackers to delete logs, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Overview
  • CVE ID
  • CVE-2023-0385
  • Assigner
  • security@wordfence.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-01-18T15:15:11
  • Last Modified Date
  • 2023-01-27T15:17:06
Weakness Enumerations
CWE URL
CWE-352 http://cwe.mitre.org/data/definitions/352.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:custom_404_pro_project:custom_404_pro:*:*:*:*:*:wordpress:*:* 1 OR 3.7.2
References
Reference URL Reference Tags
https://plugins.trac.wordpress.org/browser/custom-404-pro/tags/3.7.1/admin/AdminClass.php#L114
https://www.wordfence.com/threat-intel/vulnerabilities/id/968920b9-febf-4d76-a16b-f27954cd72e5
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2023-0385
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0385
History
Created Old Value New Value Data Type Notes
2023-01-18 16:16:19 Added to TrackCVE
2023-01-18 16:16:21 Weakness Enumeration new
2023-01-18 20:14:14 2023-01-18T19:46:26 CVE Modified Date updated
2023-01-18 20:14:14 Received Awaiting Analysis Vulnerability Status updated
2023-01-25 14:13:22 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2023-01-27 16:15:42 2023-01-27T15:17:06 CVE Modified Date updated
2023-01-27 16:15:42 Undergoing Analysis Analyzed Vulnerability Status updated
2023-01-27 16:15:45 CPE Information updated