漏洞标题
WooCommerce HUSKY – Products Filter Professional插件存在不安全直接对象引用漏洞
漏洞描述信息
WordPress插件HUSKY – Products Filter Professional for WooCommerce在所有版本中(包括1.3.6.1版本)存在不安全直接对象引用漏洞。该漏洞是由于在执行woof_messenger_remove_subscr AJAX操作时,对用户控制的'key'参数未进行验证所导致的。这使得具有订阅者级别及以上权限的经过身份验证的攻击者,如果能够成功获取或暴力破解已注册接收通知的用户的key值,可以取消这些用户的商品通知订阅。此漏洞需要插件的Products Messenger扩展功能处于启用状态。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
漏洞类别
通过用户控制密钥绕过授权机制
漏洞标题
HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.1 - Insecure Direct Object Reference to Unsubscribe
漏洞描述信息
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for users who signed up to receive notifications. This vulnerability requires the plugin's Products Messenger extension to be enabled.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
漏洞类别
授权机制缺失
漏洞标题
WordPress plugin HUSKY 安全漏洞
漏洞描述信息
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin HUSKY 1.3.6.1版本及之前版本存在安全漏洞,该漏洞源于缺少对“key”用户控制密钥的验证。攻击者利用该漏洞可以获取或暴力破解已注册接收通知的用户的密钥值。
CVSS信息
N/A
漏洞类别
其他