CVE-2023-47179
Published: 02 January 2025
Summary
CVE-2023-47179 is a high-severity Missing Authorization (CWE-862) vulnerability in Byconsole Wooodt Lite. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Deeper analysis
The vulnerability is a missing authorization flaw, tracked as CWE-862, in the WooODT Lite WordPress plugin (byconsole-woo-order-delivery-time) maintained by mdalabar. It affects all versions through 2.4.6 and stems from incorrectly configured access control security levels that fail to properly restrict privileged operations.
An authenticated attacker with low-privileged access can exploit the issue over the network to perform arbitrary site option updates. Successful exploitation grants the ability to modify configuration settings, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.
The Patchstack advisory identifies the flaw specifically as an arbitrary site option update vulnerability and provides a database entry for the affected plugin versions. No separate patch or mitigation details are supplied in the reference. The associated EPSS score has remained flat at 0.2399 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51312
Vulnerability details
Missing Authorization vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through <= 2.4.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) for arbitrary WordPress option updates by low-privileged users directly enables privilege escalation (T1068) and account manipulation via config changes such as admin email takeover (T1098).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for access to system resources, preventing low-privileged users from exploiting missing authorization to perform arbitrary site option updates.
Restricts access to configuration changes, such as site options, to authorized personnel only, mitigating unauthorized updates by low-privileged users.
Enforces least privilege to ensure low-privileged users cannot perform high-impact actions like arbitrary site option modifications even if exploited.