CVE-2023-5576

{"id": "CVE-2023-5576", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.6}]}, "published": "2023-10-20T07:15:17.790", "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/2977863/", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering."}, {"lang": "es", "value": "El complemento Migration, Backup, Staging - WPvivid para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en versiones hasta la 0.9.91 incluida a trav\u00e9s de los secretos de la API de Google Drive almacenados en texto plano en la fuente del complemento visible p\u00fablicamente. Esto podr\u00eda permitir a atacantes no autenticados hacerse pasar por la cuenta de WPVivid Google Drive a trav\u00e9s de la API si pueden enga\u00f1ar a un usuario para que se vuelva a autenticar mediante otra vulnerabilidad o ingenier\u00eda social."}], "lastModified": "2023-11-07T04:24:08.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpvivid:migration\\,_backup\\,_staging:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "6D75D579-0FCD-42C1-9CA1-FA0C938ADB2D", "versionEndIncluding": "0.9.91"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}