CVE-2023-2079 : The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulne

The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for unauthenticated attackers to update the plugins settings, via a forged request granted the attacker can trick a site's administrator into performing an action such as clicking on a link.

Published 2023-07-11 03:15:09

Updated 2023-07-18 18:56:25

Source Wordfence

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2023-2079

Buymeacoffee » Buy Me A Coffee » For Wordpress
Versions before (<) 3.8
cpe:2.3:a:buymeacoffee:buy_me_a_coffee:*:*:*:*:*:wordpress:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-2079

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 16 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-2079

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
8.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L	3.9	3.7	Wordfence
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2023-2079

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: security@wordfence.com (Primary)

References for CVE-2023-2079

https://plugins.trac.wordpress.org/browser/buymeacoffee/trunk/includes/class-buy-me-a-coffee.php?rev=2319979#L162

class-buy-me-a-coffee.php in buymeacoffee/trunk/includes – WordPress Plugin Repository
Exploit

CVEs referencing this url
https://www.wordfence.com/threat-intel/vulnerabilities/id/6309258e-e4fc-4edf-a771-2d82a9a85a5c?source=cve

Buy Me a Coffee – Button and Widget Plugin <= 3.7 - Cross-Site Request Forgery
Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2935565%40buymeacoffee&new=2935565%40buymeacoffee&sfp_email=&sfph_mail=

Changeset 2935565 for buymeacoffee – WordPress Plugin Repository
Patch

CVEs referencing this url
https://plugins.trac.wordpress.org/browser/buymeacoffee/trunk/admin/class-buy-me-a-coffee-admin.php?rev=2816542

class-buy-me-a-coffee-admin.php in buymeacoffee/trunk/admin – WordPress Plugin Repository
Exploit

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-2079

Products affected by CVE-2023-2079

Exploit prediction scoring system (EPSS) score for CVE-2023-2079

CVSS scores for CVE-2023-2079

CWE ids for CVE-2023-2079

References for CVE-2023-2079