Vulnerability Key Information Summary Vulnerability Overview CVE ID: CVE-2023-5713 Vulnerability Name: System Dashboard – Broken Logical Control to Mail Box Password Thief Severity: Very High Description: A broken logical control vulnerability was discovered in the plugin. This vulnerability allows users, even those with the low-privilege "Subscriber" role, to initiate AJAX requests to retrieve sensitive information. The leaked data includes login credentials stored in the database, passwords associated with email accounts, the output of , and comprehensive information about the web application. Scope of Impact Affected Plugin: System Dashboard Affected Versions: <= 2.8.7 Active Installations: 1000+ Public Disclosure Date: January 1, 2024 Remediation Measures 1. Role-Based Access Control (RBAC): Implement strict RBAC mechanisms to ensure each user role is granted access only according to its responsibilities. 2. AJAX Request Authentication: Implement robust authentication mechanisms for AJAX requests to ensure only authorized users can access sensitive features. 3. Regular Security Audits: Conduct regular security audits of the plugin code to identify and correct vulnerabilities related to logical control. 4. User Input Validation: Implement strict input validation and sanitization to prevent injection attacks and unauthorized access. 5. Security Patches: Timely release and apply security patches to address discovered vulnerabilities. POC Code