Exploitation Summary
EIP tracks 1 public exploit for CVE-2023-3244. PoCs published by drnull03.
AI-analyzed exploit summary This PoC exploits an access control vulnerability in the WordPress Comments Like Dislike plugin (CVE-2023-3244) by sending an unauthorized AJAX request to reset plugin settings. It requires low-privileged authentication (e.g., subscriber) and targets versions up to 1.2.0.
Description
The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.2.0. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to reset the plugin's settings. NOTE: this issue is was only partially patched in version 1.2.0, as the nonce is still present to subscriber-level users.
Exploits (1)
This PoC exploits an access control vulnerability in the WordPress Comments Like Dislike plugin (CVE-2023-3244) by sending an unauthorized AJAX request to reset plugin settings. It requires low-privileged authentication (e.g., subscriber) and targets versions up to 1.2.0.
References (4)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N