CVE Vulnerability

CVE-2020-35934

The Advanced Access Manager plugin before 6.6.2 for WordPress displays the unfiltered user object (including all metadata) upon login via the REST API (aam/v1/authenticate or aam/v2/authenticate). This is a security problem if this object stores information that the user is not supposed to have (e.g., custom metadata added by a different plugin).

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.wordfence.com/blog/2020/08/high-severity-vulnerability-patched-in-advanced-access-manager/ Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:advanced_access_manager_project:advanced_access_manager:*:*:*:*:*:wordpress:*:*
Information

Published : 2021-01-01 02:15

Updated : 2021-07-21 11:39

NVD link : CVE-2020-35934

Mitre link : CVE-2020-35934

Products Affected
No products.
CWE
CWE-200