WordPress Plugin Vulnerabilities

Unyson <= 2.7.28 - Missing Authorization

Description

The Unyson plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on several functions in versions up to, and including, 2.7.28. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions such as dismissing notices.

Affects Plugins

Plugin icon
unyson
No known fix

References

CVE
CVE-2023-44472
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/35421b32-701a-4fc9-bcec-80684d874bab

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
0d72fc36-1caa-400b-9a00-f27b8744445d

Timeline

Publicly Published
2023-09-29 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-28 (about 2 years ago)

Other

Published
Title
Published
2026-03-17
Title
Product Slider, Product Grid, Product Masonry < 1.13.62 - Missing Authorization
Published
2025-01-24
Title
Gutenberg Blocks by Kadence Blocks < 3.3.2 - Missing Authorization
Published
2024-07-26
Title
Tutor LMS – Migration Tool <= 2.2.2 - Missing Authorization in tutor_import_from_xml
Published
2024-06-11
Title
InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
Published
2025-09-22
Title
Revive.so < 2.0.7 - Missing Authorization