CVE-2023-39995

Portfolio and Projects <= 1.3.7 - Cross-Site Request Forgery via 'wpos_anylc_admin_init_process'

mediumMissing Authorization

4.3

CVSS Score

4.3

CVSS Score

medium

Severity

1.3.8

Patched in

165d

Time to patch

Description

The Portfolio and Projects plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.7. This is due to missing or incorrect nonce validation on the 'wpos_anylc_admin_init_process' function. This makes it possible for unauthenticated attackers to dismiss admin notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=1.3.7

PublishedAugust 11, 2023

Last updatedJanuary 22, 2024

Affected pluginportfolio-and-projects

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/9567f199-7c31-4df3-aa2c-911780b2497a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database