CVE-2023-0958

Summary

Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to install select plugins from Inisev on vulnerable sites. CVE-2023-38514 appears to be a duplicate of this vulnerability.

Affected Software

VendorProductVersion RangeStatus
inisevRedirection0 <= 1.1.3affected
inisevPop-up0 <= 1.1.9affected
inisevBackupBliss – Backup & Migration with Free Cloud Storage0 <= 1.2.7affected
inisevDuplicate Post0 <= 1.3.9affected
cl272Enhanced Text Widget0 <= 1.5.7affected
cl272Ultimate Posts Widget0 <= 2.2.4affected
migrateClone0 <= 2.3.7affected
inisevSocial Media Share Buttons & Social Sharing Icons0 <= 2.8.1affected
steve85bSSL Mixed Content Fix0 <= 3.2.3affected
inisevSocial Share Icons & Social Share Buttons0 <= 3.5.7affected
s-feedsRSS Redirect & Feedburner Alternative0 <= 3.7affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References