Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-5448
CVE-2023-5448:
WordPress vulnerability analysis and mitigation
Overview
The WP Register Profile With Shortcode WordPress plugin (versions up to and including 3.5.9) contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2023-5448. The vulnerability was discovered and disclosed on January 10, 2024, affecting the plugin's password update functionality (NVD).
Technical details
The vulnerability stems from missing or incorrect nonce validation in the update_password_validate function. The CVSS v3.1 base score is 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a serious security issue that requires user interaction but no privileges for exploitation (Wordfence).
Impact
If successfully exploited, this vulnerability allows unauthenticated attackers to reset a user's password, potentially leading to unauthorized account access and complete account takeover (NVD).
Mitigation and workarounds
A patch has been released to address this vulnerability. Users are advised to update their WP Register Profile With Shortcode plugin to a version newer than 3.5.9 (WordPress Plugin).
Additional resources
Source: This report was generated using AI
Related WordPress vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management