The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.
History

Fri, 27 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-08-31T05:33:08.078Z

Updated: 2024-09-27T14:23:03.117Z

Reserved: 2023-04-18T22:17:25.706Z

Link: CVE-2023-2172

cve-icon Vulnrichment

Updated: 2024-08-02T06:12:20.632Z

cve-icon NVD

Status : Modified

Published: 2023-08-31T06:15:08.523

Modified: 2024-11-21T07:58:04.720

Link: CVE-2023-2172

cve-icon Redhat

No data.