CVE-2023-23986 (GCVE-0-2023-23986)

Vulnerability from cvelistv5 – Published: 2024-12-09 11:31 – Updated: 2024-12-09 18:42
VLAI?
Title
WordPress Reviews and Rating – Google My Business plugin <= 4.14 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating – Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reviews and Rating – Google My Business: from n/a through 4.14.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE
Assigner
References
Impacted products
Vendor Product Version
Noah Hearle, Design Extreme Reviews and Rating – Google My Business Affected: n/a , ≤ 4.14 (custom)
Create a notification for this product.
Credits
István Márton (Patchstack Alliance)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-23986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-09T13:28:54.118253Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-09T18:42:00.559Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "g-business-reviews-rating",
          "product": "Reviews and Rating \u2013 Google My Business",
          "vendor": "Noah Hearle, Design Extreme",
          "versions": [
            {
              "changes": [
                {
                  "at": "4.15",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "4.14",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMissing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating \u2013 Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Reviews and Rating \u2013 Google My Business: from n/a through 4.14.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating \u2013 Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reviews and Rating \u2013 Google My Business: from n/a through 4.14."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-09T11:31:42.240Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/g-business-reviews-rating/vulnerability/wordpress-reviews-and-rating-google-my-business-plugin-4-14-broken-access-control?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress Reviews and Rating \u2013 Google My Business plugin to the latest available version (at least 4.15)."
            }
          ],
          "value": "Update the WordPress Reviews and Rating \u2013 Google My Business plugin to the latest available version (at least 4.15)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Reviews and Rating \u2013 Google My Business plugin \u003c= 4.14 - Broken Access Control vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2023-23986",
    "datePublished": "2024-12-09T11:31:42.240Z",
    "dateReserved": "2023-01-20T09:29:05.599Z",
    "dateUpdated": "2024-12-09T18:42:00.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Missing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating \\u2013 Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reviews and Rating \\u2013 Google My Business: from n/a through 4.14.\"}, {\"lang\": \"es\", \"value\": \"La vulnerabilidad de autorizaci\\u00f3n faltante en Noah Hearle, Design Extreme Reviews and Rating \\u2013 Google My Business permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Reviews and Rating \\u2013 Google My Business: desde n/a hasta la versi\\u00f3n 4.14.\"}]",
      "id": "CVE-2023-23986",
      "lastModified": "2024-12-09T13:15:22.163",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"audit@patchstack.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.5}]}",
      "published": "2024-12-09T13:15:22.163",
      "references": "[{\"url\": \"https://patchstack.com/database/wordpress/plugin/g-business-reviews-rating/vulnerability/wordpress-reviews-and-rating-google-my-business-plugin-4-14-broken-access-control?_s_id=cve\", \"source\": \"audit@patchstack.com\"}]",
      "sourceIdentifier": "audit@patchstack.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"audit@patchstack.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-23986\",\"sourceIdentifier\":\"audit@patchstack.com\",\"published\":\"2024-12-09T13:15:22.163\",\"lastModified\":\"2024-12-09T13:15:22.163\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Missing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating \u2013 Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reviews and Rating \u2013 Google My Business: from n/a through 4.14.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de autorizaci\u00f3n faltante en Noah Hearle, Design Extreme Reviews and Rating \u2013 Google My Business permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Reviews and Rating \u2013 Google My Business: desde n/a hasta la versi\u00f3n 4.14.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://patchstack.com/database/wordpress/plugin/g-business-reviews-rating/vulnerability/wordpress-reviews-and-rating-google-my-business-plugin-4-14-broken-access-control?_s_id=cve\",\"source\":\"audit@patchstack.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-23986\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-09T13:28:54.118253Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-09T13:30:44.230Z\"}}], \"cna\": {\"title\": \"WordPress Reviews and Rating \\u2013 Google My Business plugin \u003c= 4.14 - Broken Access Control vulnerability\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Istv\\u00e1n M\\u00e1rton (Patchstack Alliance)\"}], \"impacts\": [{\"capecId\": \"CAPEC-180\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Noah Hearle, Design Extreme\", \"product\": \"Reviews and Rating \\u2013 Google My Business\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"4.15\", \"status\": \"unaffected\"}], \"version\": \"n/a\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.14\"}], \"packageName\": \"g-business-reviews-rating\", \"collectionURL\": \"https://wordpress.org/plugins\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update the WordPress Reviews and Rating \\u2013 Google My Business plugin to the latest available version (at least 4.15).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update the WordPress Reviews and Rating \\u2013 Google My Business plugin to the latest available version (at least 4.15).\", \"base64\": false}]}], \"references\": [{\"url\": \"https://patchstack.com/database/wordpress/plugin/g-business-reviews-rating/vulnerability/wordpress-reviews-and-rating-google-my-business-plugin-4-14-broken-access-control?_s_id=cve\", \"tags\": [\"vdb-entry\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Missing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating \\u2013 Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reviews and Rating \\u2013 Google My Business: from n/a through 4.14.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eMissing Authorization vulnerability in Noah Hearle, Design Extreme Reviews and Rating \\u2013 Google My Business allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Reviews and Rating \\u2013 Google My Business: from n/a through 4.14.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"shortName\": \"Patchstack\", \"dateUpdated\": \"2024-12-09T11:31:42.240Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-23986\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-09T18:42:00.559Z\", \"dateReserved\": \"2023-01-20T09:29:05.599Z\", \"assignerOrgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"datePublished\": \"2024-12-09T11:31:42.240Z\", \"assignerShortName\": \"Patchstack\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.