Description

A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.

Remediation

References

CVE-2023-6152

Related Vulnerabilities

WordPress Plugin Mz-jajak 'id' Parameter SQL Injection (2.1)

WordPress Plugin Contact Form by BestWebSoft Cross-Site Scripting (3.51)

Vanilla Forums Deserialization of Untrusted Data Vulnerability (CVE-2018-19499)

phpBB Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-5502)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-2242)

Severity

Medium

Classification

CVE-2023-6152 CWE-863 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Tags

Missing Update Known Vulnerabilities