CVE-2023-7202 - Vulnerability Details - OpenCVE

The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00089.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Verygoodplugins Subscribe	Fatal Error Notify Subscribe

Configuration 1 [-]

cpe:2.3:a:verygoodplugins:fatal_error_notify:*:*:*:*:*:wordpress:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/
https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/

History

Thu, 01 May 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Verygoodplugins Verygoodplugins fatal Error Notify
CPEs		cpe:2.3:a:verygoodplugins:fatal_error_notify::::::wordpress::*
Vendors & Products		Verygoodplugins Verygoodplugins fatal Error Notify

Mon, 28 Oct 2024 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-352
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-02-27T08:30:23.406Z

Updated: 2024-10-28T00:09:36.117Z

Reserved: 2024-01-03T12:33:57.206Z

Link: CVE-2023-7202

Vulnrichment

Updated: 2024-08-02T08:57:35.020Z

NVD

Status : Analyzed

Published: 2024-02-27T09:15:37.397

Modified: 2025-05-01T14:31:33.903

Link: CVE-2023-7202

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-352

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-7202", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2024-01-03T12:33:57.206Z", "datePublished": "2024-02-27T08:30:23.406Z", "dateUpdated": "2024-10-28T00:09:36.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-02-27T08:30:23.406Z"}, "title": "Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending", "problemTypes": [{"descriptions": [{"description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Fatal Error Notify", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "1.5.3"}], "defaultStatus": "unaffected", "collectionURL": "https://wordpress.org/plugins"}], "descriptions": [{"lang": "en", "value": "The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF"}], "references": [{"url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/", "tags": ["exploit", "vdb-entry", "technical-description"]}, {"url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/"}], "credits": [{"lang": "en", "value": "Dmitrii Ignatyev", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-02-27T14:33:53.033931Z", "id": "CVE-2023-7202", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T00:09:36.117Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:35.020Z"}, "title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:35.020Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-7202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-27T14:33:53.033931Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:13.328Z"}}], "cna": {"title": "Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Fatal Error Notify", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.3", "versionType": "semver"}], "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/", "tags": ["exploit", "vdb-entry", "technical-description"]}, {"url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/"}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-862 Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2024-02-27T08:30:23.406Z"}}}, "cveMetadata": {"cveId": "CVE-2023-7202", "state": "PUBLISHED", "dateUpdated": "2024-10-28T00:09:36.117Z", "dateReserved": "2024-01-03T12:33:57.206Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2024-02-27T08:30:23.406Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:verygoodplugins:fatal_error_notify:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A3124452-DBFE-40A9-86BF-F4CB387F0807", "versionEndExcluding": "1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF"}, {"lang": "es", "value": "El complemento Fatal Error Notify de WordPress anterior a 1.5.3 no tiene autorizaci\u00f3n y CSRF verifica su acci\u00f3n test_error AJAX, lo que permite a cualquier usuario autenticado, como un suscriptor, llamarlo y enviar spam a la direcci\u00f3n de correo electr\u00f3nico del administrador con mensajes de error. El problema tambi\u00e9n se puede explotar a trav\u00e9s de CSRF."}], "id": "CVE-2023-7202", "lastModified": "2025-05-01T14:31:33.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-27T09:15:37.397", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}