漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Divi Form Builder <= 5.1.8 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via User Profile Update Form
Vulnerability Description
The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific user account, and the handle_register_submission() function only checking if any user is logged in rather than validating permissions for the target user. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address and password of any user account, including administrators, resulting in complete account takeover.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
Divi Engine Divi Form Builder 授权问题漏洞
Vulnerability Description
Divi Engine Divi Form Builder是Divi Engine的表单生成器。 Divi Engine Divi Form Builder 5.1.8及之前版本存在授权问题漏洞,该漏洞源于update_user()函数接受表单提交中的用户ID参数而未验证已认证用户是否有权限编辑特定用户账户,且handle_register_submission()函数仅检查是否有用户登录而未验证目标用户权限,可能导致已认证攻击者(具有订阅者级别及以上权限)更改任意用户账户的电子邮件和密码,导致完全账户接
CVSS Information
N/A
Vulnerability Type
N/A