Description

WordPress Plugin Advanced Access Manager is prone to multiple vulnerabilities, including privilege escalation and information disclosure vulnerabilities. An attacker may leverage these issues to bypass the expected capabilities check and perform otherwise restricted actions, or to obtain sensitive information that may help in launching further attacks. WordPress Plugin Advanced Access Manager version 6.6.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 6.6.2 or latest

References

https://www.wordfence.com/blog/2020/08/high-severity-vulnerability-patched-in-advanced-access-manager/

https://plugins.svn.wordpress.org/advanced-access-manager/trunk/readme.txt

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-8131)

WordPress Clickjacking Vulnerability (0.7 - 3.1.2)

Drupal Other Vulnerability (CVE-2006-2260)

PHP-Fusion Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2013-1806)

ownCloud Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-4397)

Severity

High

Classification

CVE-2020-35934 CVE-2020-35935 CWE-200 CWE-264 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update