WordPress Plugin Vulnerabilities

Leyka < 3.30.3 - Subscriber+ Privilege Escalation

Description

The plugin does not validate password to be updated, allowing any authenticated user, such as subscriber to set the password of another user.

Affects Plugins

Plugin icon
leyka
Fixed in 3.30.3

References

CVE
CVE-2023-33327

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Nguyen Anh Tien
Verified
No
WPVDB ID
0b8ef3d7-3cce-4381-9e7a-5b7033182125

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-06-21 (about 2 years ago)
Last Updated
2023-07-04 (about 2 years ago)

Other

Published
Title
Published
2025-12-10
Title
WP CarDealer < 1.2.17 - Unauthenticated Privilege Escalation
Published
2026-03-02
Title
LatePoint < 5.2.8 - Agent+ Privilege Escalation
Published
2025-07-31
Title
DELUCKS SEO < 2.6.1 - Authenticated (Subscriber+) Privilege Escalation
Published
2022-12-01
Title
ARMember < 5.6 - Unauthenticated Privilege Escalation
Published
2026-03-20
Title
App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter