CVE-2023-46632

High

Published: 02 January 2025

Published

02 January 2025

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0011 29.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Missing Authorization vulnerability in David Cramer My Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Shortcodes: from n/a through 2.3.

Security Summary

CVE-2023-46632 is a missing authorization vulnerability (CWE-862) in the My Shortcodes WordPress plugin by David Cramer. The flaw allows exploiting incorrectly configured access control security levels and affects all versions of the plugin from n/a through 2.3. It carries a CVSS v3.1 base score of 7.1, rated as high severity with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H.

The vulnerability can be exploited by a low-privileged authenticated user (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables limited integrity modifications (I:L) and high-impact disruption to availability (A:H), such as denial of service, while confidentiality remains unaffected (C:N) and scope is unchanged (S:U).

The Patchstack advisory provides further details on this broken access control issue in My Shortcodes version 2.3 and related mitigation guidance at https://patchstack.com/database/wordpress/plugin/my-shortcodes/vulnerability/wordpress-my-shortcodes-plugin-2-3-broken-access-control-vulnerability?_s_id=cve.

Details

CWE(s): CWE-862

References

https://patchstack.com/database/wordpress/plugin/my-shortcodes/vulnerability/wordpress-my-shortcodes-plugin-2-3-broken-access-control-vulnerability?_s_id=cve
audit@patchstack.com