CVE-2023-2623 - Vulnerability Details - OpenCVE

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00276.

Exploitation poc

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

KiviCare

unaffected

Version	Status	Constraints
`0`	affected	< 3.2.1

Configuration 1 [-]

cpe:2.3:a:iqonic:kivicare:*:*:*:*:*:wordpress:*:*

No data.

No data.

Project Subscriptions

Vendors	Products
Iqonic Subscribe	Kivicare Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2023-34094	The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://wpscan.com/vulnerability/85cc39b1-416f-4d23-84c1-fdcbffb0dda0

History

Wed, 27 Nov 2024 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2023-06-27T13:17:20.907Z

Updated: 2024-11-27T19:18:07.869Z

Reserved: 2023-05-10T09:40:03.919Z

Link: CVE-2023-2623

Vulnrichment

Updated: 2024-08-02T06:26:09.881Z

NVD

Status : Modified

Published: 2023-06-27T14:15:10.967

Modified: 2024-11-21T07:58:57.173

Link: CVE-2023-2623

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2623", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2023-05-10T09:40:03.919Z", "datePublished": "2023-06-27T13:17:20.907Z", "dateUpdated": "2024-11-27T19:18:07.869Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-06-27T13:17:20.907Z"}, "title": "KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure", "problemTypes": [{"descriptions": [{"description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "KiviCare", "versions": [{"status": "affected", "versionType": "custom", "version": "0", "lessThan": "3.2.1"}], "defaultStatus": "unaffected", "collectionURL": "https://wordpress.org/plugins"}], "descriptions": [{"lang": "en", "value": "The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users"}], "references": [{"url": "https://wpscan.com/vulnerability/85cc39b1-416f-4d23-84c1-fdcbffb0dda0", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Erwan LR (WPScan)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:26:09.881Z"}, "title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/85cc39b1-416f-4d23-84c1-fdcbffb0dda0", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-27T19:17:56.587222Z", "id": "CVE-2023-2623", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T19:18:07.869Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2623", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2023-05-10T09:40:03.919Z", "datePublished": "2023-06-27T13:17:20.907Z", "dateUpdated": "2024-11-27T19:18:07.869Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-06-27T13:17:20.907Z"}, "title": "KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure", "problemTypes": [{"descriptions": [{"description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "KiviCare", "versions": [{"status": "affected", "versionType": "custom", "version": "0", "lessThan": "3.2.1"}], "defaultStatus": "unaffected", "collectionURL": "https://wordpress.org/plugins"}], "descriptions": [{"lang": "en", "value": "The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users"}], "references": [{"url": "https://wpscan.com/vulnerability/85cc39b1-416f-4d23-84c1-fdcbffb0dda0", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Erwan LR (WPScan)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:26:09.881Z"}, "title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/85cc39b1-416f-4d23-84c1-fdcbffb0dda0", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2623", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-27T19:17:56.587222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-27T19:18:00.919Z"}}]}}