CVE-2023-0335

MEDIUM

WP Shamsi < 4.3.3 - Missing Authorization and CSRF via Attachment Deletion

Title source: llm
STIX 2.1

Description

The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/f7a20bea-c3d5-431b-bdcf-e189c81a561a

Scores

CVSS v3 6.5
EPSS 0.0100
EPSS Percentile 58.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
wpvar/wp_shamsi < 4.3.3
Published Mar 27, 2023
Tracked Since Feb 18, 2026