CVE-2023-1509

CVSS V2 None CVSS V3 None

Description

The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing nonce validation on the gmace_manager_server function called via the wp_ajax_gmace_manager AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Overview

CVE ID
CVE-2023-1509

Assigner
security@wordfence.com

Vulnerability Status
Analyzed

Published Version
2023-03-29T11:15:07

Last Modified Date
2023-04-05T02:13:55

Weakness Enumerations

CWE	URL
CWE-352	http://cwe.mitre.org/data/definitions/352.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:gmace_project:gmace::::::wordpress::*	1	OR		1.5.2

References

Reference URL	Reference Tags
https://plugins.trac.wordpress.org/browser/gmace/trunk/gmace.php?rev=1583327#L84	Product
https://plugins.trac.wordpress.org/browser/gmace/trunk/inc/filemanager.php?rev=1583319#L27	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/826b3913-9a37-4e15-80fd-b35cefb51af8?source=cve	Third Party Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-1509
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1509

History

Created	Old Value	New Value	Data Type	Notes
2023-04-17 03:45:20				Added to TrackCVE
2023-04-17 03:45:23			Weakness Enumeration	new