Description
The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site's security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected products
References
- MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/b8d88cc2-91e4-4e53-8c46-93d6ce8bc320?source=cve
- MISChttps://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L1963
- MISChttps://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L1930
- MISChttps://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L174
- MISChttps://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L1963
- MISChttps://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L1930
- MISChttps://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L174