CVE-2023-2717

CVSS V2 None CVSS V3 None

Description

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation on the 'enable_safe_mode' function. This makes it possible for unauthenticated attackers to enable safe mode, which disables all other plugins, via a forged request if they can successfully trick an administrator into performing an action such as clicking on a link. A warning message about safe mode is displayed to the admin, which can be easily disabled.

Overview

CVE ID
CVE-2023-2717

Assigner
security@wordfence.com

Vulnerability Status
Received

Published Version
2023-05-20T03:15:09

Last Modified Date
2023-05-20T03:15:09

Weakness Enumerations

CWE	URL
CWE-352	http://cwe.mitre.org/data/definitions/352.html

References

Reference URL	Reference Tags
https://plugins.trac.wordpress.org/browser/groundhogg/tags/2.7.9.8/admin/help/help-page.php#L67
https://plugins.trac.wordpress.org/changeset/2914493/groundhogg/tags/2.7.10/admin/help/help-page.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/af73240c-b711-4e91-9998-5f7e6a9a4fb9?source=cve

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-2717
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2717

History

Created	Old Value	New Value	Data Type	Notes
2023-05-20 04:00:23				Added to TrackCVE
2023-05-20 04:00:26			Weakness Enumeration	new