CVE-2023-0584

MEDIUM

VK Blocks <= 1.57.0.5 - Authenticated Improper Authorization via REST update_options Function

Title source: llm

Description

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change the 'vk_font_awesome_version' option to an arbitrary value.

References (3)

Core 3

Core References

Patch

https://plugins.trac.wordpress.org/browser/vk-blocks/trunk/inc/vk-blocks/font-awesome/class-vk-blocks-font-awesome-api.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b90b7f6c-df7f-48a5-b283-cf5facbd71e5?source=cve

https://plugins.trac.wordpress.org/changeset/2927751

Scores

CVSS v3 4.3

EPSS 0.0051

EPSS Percentile 39.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (2)

vektor-inc/VK Blocks < 1.57.0.5

vektor-inc/vk_blocks < 1.57.0.5

Published Jun 03, 2023

Tracked Since Feb 18, 2026