1.1.1

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

featherplugins

CWE-862

NVD

Published: 2023-05-31

Updated: 2023-11-07

Summary

The Feather Login Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getListOfUsers' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access the login links, which can be used for privilege escalation.

Vulnerable Configurations

Part	Description	Count
Application	Featherplugins Featherplugins Feather Login Page 1.0.7 Featherplugins Feather Login Page 1.1.1	2

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/b2ab2178-7438-43ef-961e-b54d0d230f4a?source=cve
https://plugins.trac.wordpress.org/browser/feather-login-page/trunk/features/inc/admin/expirable-login-link.php?rev=2612332#L85