CVE-2023-25469

Vulnerability

Overview The Easy Table of Contents plugin for WordPress, versions prior to 2.0.45.2, contains a missing authorization vulnerability. The plugin fails to properly enforce access controls, allowing unprivileged users to execute functions that should require higher privileges [1].

Exploitation

This broken access control issue can be exploited by any unauthenticated or low-privileged user who can send crafted requests to the affected plugin. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites simultaneously, regardless of site popularity or traffic [1].

Impact

While the vulnerability is rated as low severity and considered unlikely to be exploited, it still poses a risk. An attacker could potentially access sensitive information or perform unauthorized actions, depending on the specific missing authorization checks. The CVSS score is 5.4 (Medium) [1].

Mitigation

Users are strongly advised to update the Easy Table of Contents plugin to version 2.0.46 or later, which contains the fix. For those unable to update immediately, Patchstack has issued a mitigation rule to block attacks until the update is applied [1].