CVE-2023-6741

The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/9debe1ea-18ad-44c4-8078-68eb66d36c4a/	Third Party Advisory
https://wpscan.com/vulnerability/9debe1ea-18ad-44c4-8078-68eb66d36c4a/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:marvinlabs:wp_customer_area:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2024-01-16 16:15

Updated : 2025-06-20 18:15

NVD link : CVE-2023-6741

Mitre link : CVE-2023-6741

CVE.ORG link : CVE-2023-6741

JSON object : View

Products Affected

marvinlabs

wp_customer_area

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-6741", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-01-16T16:15:13.867", "references": [{"url": "https://wpscan.com/vulnerability/9debe1ea-18ad-44c4-8078-68eb66d36c4a/", "tags": ["Third Party Advisory"], "source": "contact@wpscan.com"}, {"url": "https://wpscan.com/vulnerability/9debe1ea-18ad-44c4-8078-68eb66d36c4a/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address."}, {"lang": "es", "value": "El complemento de WordPressWP Customer Area anterior a 8.2.1 no valida adecuadamente las capacidades de los usuarios en algunas de sus acciones AJAX, lo que permite a usuarios malintencionados editar la direcci\u00f3n de cuenta de otros usuarios."}], "lastModified": "2025-06-20T18:15:24.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:marvinlabs:wp_customer_area:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "C22F1304-27E0-4D72-8487-BC5210011831", "versionEndExcluding": "8.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "contact@wpscan.com"}