CVE-2023-5559
Published: 27 November 2023
Summary
CVE-2023-5559 is a critical-severity an unspecified weakness vulnerability in 10Web 10Web Booster. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The 10Web Booster WordPress plugin before version 2.24.18 contains a vulnerability in which certain AJAX actions fail to validate supplied option names. This allows arbitrary options to be deleted from the WordPress database, resulting in denial of service. The issue carries a CVSS 3.1 score of 9.1 and affects any site running an unpatched instance of the plugin.
Unauthenticated attackers with network access can invoke the affected AJAX endpoints to remove arbitrary database options. Successful exploitation can disable core WordPress functionality or the entire site without requiring user interaction or credentials, producing high impact to integrity and availability.
Public references, including the WPScan advisory, identify the flaw and confirm that updating the 10Web Booster plugin to version 2.24.18 or later addresses the missing input validation. The associated EPSS score stands at 0.5248 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-57859
Vulnerability details
The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.