CVE-2023-6066

MEDIUM

WP Custom Widget area <1.2.5 - Privilege Escalation

Title source: llm
STIX 2.1

Description

The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/f8f84d47-49aa-4258-a8a6-3de8e7342623

Scores

CVSS v3 4.3
EPSS 0.0039
EPSS Percentile 30.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
kishorkhambu/wp_custom_widget_area < 1.2.5
Published Jan 15, 2024
Tracked Since Feb 18, 2026