Impact
An unauthenticated insecure direct object reference (IDOR) exists in the Clean Login plugin for WordPress versions 1.15 and earlier. This flaw allows an attacker to craft requests targeting internal object identifiers and gain access to protected resources or sensitive data that were intended to be restricted. The weakness originates from insufficient authorization checks on plugin endpoints, a classic instance of CWE-639, and could potentially compromise user accounts, private settings, or other confidential information stored by the plugin.
Affected Systems
The vulnerability affects installations of the Clean Login plugin developed by Alberto Hornero. All releases up to and including version 1.15 are considered vulnerable. No other products are explicitly listed.
Risk and Exploitability
The CVSS score of 8.2 indicates a high severity vulnerability, and while an EPSS score is not available, the lack of a KEV listing does not reduce the inherent risk. The attack vector is inferred to be through direct HTTP calls to the plugin’s API or admin interfaces, exploiting the missing access control. An attacker can exploit the IDOR without needing any authentication, making the vulnerability readily actionable by anyone with network access to the WordPress site.
OpenCVE Enrichment