Severity
High
Analysis Summary
CVE-2023-4213 CVSS:8.8
Simplr Registration Form Plus+ plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure direct object references flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to change user passwords and potentially take over administrator accounts.
CVE-2023-4890 CVSS:6.4
JQuery Accordion Menu Widget Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the ‘dcwp-jquery-accordion’ shortcode to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-4893 CVSS:6.4
Crayon Syntax Highlighter Plugin for WordPress is vulnerable to server-side request forgery, caused by a flaw in the remote function of ‘crayon’ shortcode. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to access or manipulate resources from the perspective of the affected server.
Impact
- Security Bypass
- Cross-Site Scripting
Indicators Of Compromise
CVE
- CVE-2023-4213
- CVE-2023-4890
- CVE-2023-4893
Affected Vendors
WordPress
Affected Products
- Simplr Registration Form Plus+ plugin for WordPress 2.4.5
- JQuery Accordion Menu Widget Plugin for WordPress 3.1.2
- Crayon Syntax Highlighter Plugin for WordPress 2.8.4
Remediation
Refer to Wordfence Website for patch, upgrade or suggested workaround information.