WordPress Plugin Vulnerabilities

LuckyWP Scripts Control < 1.2.2 - CSRF via multiple AJAX actions

Description

The plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on multiple AJAX functions. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, edit, delete, enable, disable, and sort items.

Affects Plugins

Plugin icon
luckywp-scripts-control
Fixed in 1.2.2

References

CVE
CVE-2023-29239
URL
https://patchstack.com/database/vulnerability/luckywp-scripts-control/wordpress-luckywp-scripts-control-plugin-1-2-1-broken-access-control-csrf-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Elliot
Verified
No
WPVDB ID
0eded434-150e-4bd9-8e97-e881068469dd

Timeline

Publicly Published
2023-08-28 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-10-21 (about 1 year ago)

Other

Published
Title
Published
2025-12-23
Title
Brave < 0.8.4 - Missing Authorization
Published
2026-02-03
Title
Subscribe2 < 10.45 - Missing Authorization
Published
2026-02-06
Title
The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification
Published
2023-06-26
Title
AutomateWoo < 5.7.6 - Missing Authorization
Published
2025-08-27
Title
AfterShip Tracking < 1.17.18 - Missing Authorization