Cyber Resilience

CVE-2023-5559

CriticalPublic PoC

Published: 27 November 2023

Published
27 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.5248 98.0th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5559 is a critical-severity an unspecified weakness vulnerability in 10Web 10Web Booster. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The 10Web Booster WordPress plugin before version 2.24.18 contains a vulnerability in which certain AJAX actions fail to validate supplied option names. This allows arbitrary options to be deleted from the WordPress database, resulting in denial of service. The issue carries a CVSS 3.1 score of 9.1 and affects any site running an unpatched instance of the plugin.

Unauthenticated attackers with network access can invoke the affected AJAX endpoints to remove arbitrary database options. Successful exploitation can disable core WordPress functionality or the entire site without requiring user interaction or credentials, producing high impact to integrity and availability.

Public references, including the WPScan advisory, identify the flaw and confirm that updating the 10Web Booster plugin to version 2.24.18 or later addresses the missing input validation. The associated EPSS score stands at 0.5248 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

10web
10web booster
≤ 2.24.18

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References