WordPress Plugin Vulnerabilities

Swift Performance Lite <= 2.3.6.14 - Unauthenticated Configuration Export

Description

The plugin does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens.

Proof of Concept

Affects Plugins

Plugin icon
swift-performance-lite
Fixed in 2.3.6.15

References

CVE
CVE-2023-6289

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając (CERT PL)
Submitter
Krzysztof Zając (CERT PL)
Submitter website
https://cert.pl
Submitter twitter
cert_polska_en
Verified
Yes
WPVDB ID
8c83dd57-9291-4dfc-846d-5ad47534e2ad

Timeline

Publicly Published
2023-11-27 (about 2 years ago)
Added
2023-11-27 (about 2 years ago)
Last Updated
2023-11-27 (about 2 years ago)

Other

Published
Title
Published
2023-11-21
Title
UserPro < 5.1.2 - Authentication Bypass to Administrator
Published
2025-03-13
Title
WP JobHunt <= 7.1 - Authentication Bypass
Published
2024-07-19
Title
WooCommerce - Social Login < 2.7.4 - Unauthenticated Privilege Escalation via One-Time Password
Published
2024-04-17
Title
SSL Zen <= 4.5.3 - Unauthenticated Private Keys Access
Published
2023-07-18
Title
OAuth Single Sign On – SSO (OAuth Client) < 6.23.4 - Improper Authentication