CVE-2023-5576 - Vulnerability Details - OpenCVE

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Wpvivid	Migration\, Backup\, Staging

Configuration 1 [-]

cpe:2.3:a:wpvivid:migration\,_backup\,_staging:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json
https://plugins.trac.wordpress.org/changeset/2977863/
https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve

History

Wed, 05 Feb 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-10-20T06:35:20.189Z

Updated: 2025-02-05T19:07:34.349Z

Reserved: 2023-10-13T15:42:14.873Z

Link: CVE-2023-5576

Vulnrichment

Updated: 2024-08-02T08:07:31.693Z

NVD

Status : Modified

Published: 2023-10-20T07:15:17.790

Modified: 2024-11-21T08:42:03.063

Link: CVE-2023-5576

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5576", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-10-13T15:42:14.873Z", "datePublished": "2023-10-20T06:35:20.189Z", "dateUpdated": "2025-02-05T19:07:34.349Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-10-20T06:35:20.189Z"}, "affected": [{"vendor": "wpvividplugins", "product": "Migration, Backup, Staging \u2013 WPvivid", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "0.9.91", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering."}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json"}, {"url": "https://plugins.trac.wordpress.org/changeset/2977863/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Information Exposure"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8, "baseSeverity": "HIGH"}}], "timeline": [{"time": "2023-10-13T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:07:31.693Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/2977863/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-05T18:34:58.111705Z", "id": "CVE-2023-5576", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T19:07:34.349Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/2977863/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:07:31.693Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5576", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-05T18:34:58.111705Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T18:34:59.399Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N"}}], "affected": [{"vendor": "wpvividplugins", "product": "Migration, Backup, Staging \u2013 WPvivid", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "0.9.91"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-10-13T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json"}, {"url": "https://plugins.trac.wordpress.org/changeset/2977863/"}], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2023-10-20T06:35:20.189Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5576", "state": "PUBLISHED", "dateUpdated": "2025-02-05T19:07:34.349Z", "dateReserved": "2023-10-13T15:42:14.873Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2023-10-20T06:35:20.189Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpvivid:migration\\,_backup\\,_staging:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6D75D579-0FCD-42C1-9CA1-FA0C938ADB2D", "versionEndIncluding": "0.9.91", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering."}, {"lang": "es", "value": "El complemento Migration, Backup, Staging - WPvivid para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en versiones hasta la 0.9.91 incluida a trav\u00e9s de los secretos de la API de Google Drive almacenados en texto plano en la fuente del complemento visible p\u00fablicamente. Esto podr\u00eda permitir a atacantes no autenticados hacerse pasar por la cuenta de WPVivid Google Drive a trav\u00e9s de la API si pueden enga\u00f1ar a un usuario para que se vuelva a autenticar mediante otra vulnerabilidad o ingenier\u00eda social."}], "id": "CVE-2023-5576", "lastModified": "2024-11-21T08:42:03.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.8, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-20T07:15:17.790", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2977863/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/2977863/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4658109d-295c-4a1b-b219-ca1f4664ff1d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}