WordPress Plugin Vulnerabilities

Pre-Publish Checklist < 1.1.2 - Insecure Direct Object Reference to Arbitrary Post '_ppc_meta_key' Update

Description

The Pre-Publish Checklist plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.1.1 via the ppc_meta_box_ajax_add_handler and ppc_meta_box_ajax_delete_handler functions due to missing validation on a user controlled key. This can allow authenticated attackers with contributor-level access and above to modify and delete the '_ppc_meta_key' post meta value for arbitrary posts.

Affects Plugins

Plugin icon
pre-publish-checklist
Fixed in 1.1.2

References

CVE
CVE-2023-44151
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e00a06c-9623-48e0-b212-20a2f1e7e640

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
0dc5f6fa-ab89-4c16-87cb-0bf9f548d3ef

Timeline

Publicly Published
2023-09-22 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-21 (about 2 years ago)

Other

Published
Title
Published
2026-02-11
Title
Paid Member Subscriptions < 2.16.9 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-07-01
Title
MasterStudy LMS < 3.3.24 - Privilege Escalation to Instructor
Published
2026-01-29
Title
Shiprocket <= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-10-21
Title
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier < 2.0.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out
Published
2025-02-21
Title
WP Job Portal < 2.2.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection