WordPress Plugin Vulnerabilities

Profile Extra Fields by BestWebSoft < 1.2.8 - Unauthenticated Sensitive Data Disclosure

Description

The plugin does not have authorisation in the prflxtrflds_export_file() function, allowing unauthenticated users to retrieve sensitive data such as the ones entered in custom fields

Affects Plugins

Plugin icon
profile-extra-fields
Fixed in 1.2.8

References

CVE
CVE-2023-4469

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
031da4a6-b196-4221-992e-de96eaf915b0

Timeline

Publicly Published
2023-10-05 (about 2 years ago)
Added
2023-10-12 (about 2 years ago)
Last Updated
2023-10-12 (about 2 years ago)

Other

Published
Title
Published
2026-03-07
Title
Elementor Website Builder < 3.35.6 - Missing Authorization
Published
2025-04-18
Title
AnalyticsWP <= 2.0.0 - Missing Authorization
Published
2025-12-21
Title
Wappointment <=2.7.2 - Missing Authorization
Published
2026-01-12
Title
WP Duplicate Page < 1.8.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication
Published
2024-05-10
Title
Giveaways and Contests by RafflePress < 1.12.5 - Missing Authorization