CVE-2023-4214
Severity CVSS v4.0:
Pending analysis
Type:
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
Publication date:
18/11/2023
Last modified:
25/11/2023
Description
The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apppresser:apppresser:*:*:*:*:*:wordpress:*:* | 4.3.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_API_Limit.php?rev=2997182
- https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_WPAPI_Mods.php#L567
- https://plugins.trac.wordpress.org/changeset/2997160/apppresser
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde?source=cve