WordPress Plugin Vulnerabilities

WP VR < 8.2.8 - Subscriber+ Settings Update

Description

The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them.

Note:
- The original advisory mentions the issue to be a CSRF, however the lack of authorisation makes it easier for any authenticated users to perform such attack themselves.
- v8.2.8 added a CSRF check but is still missing proper authorisation.

Proof of Concept

Affects Plugins

Plugin icon
wpvr
Fixed in 8.2.8

References

CVE
CVE-2023-25708

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
0f7356f9-a373-4c65-a21b-f756851aa2ca

Timeline

Publicly Published
2023-02-14 (about 3 years ago)
Added
2023-03-15 (about 2 years ago)
Last Updated
2023-03-15 (about 2 years ago)

Other

Published
Title
Published
2023-06-12
Title
WP Directory Kit < 1.2.4 - Missing Authorization for Plugin Settings Update
Published
2025-01-16
Title
Slides & Presentations <= 0.0.39 - Missing Authorization to Content Injection
Published
2025-04-01
Title
Zoho Flow < 2.13.4 - Missing Authorization
Published
2023-11-28
Title
LadiApp <= 4.4 - Missing Authorization
Published
2025-10-19
Title
BuddyForms <= 2.9.0 - Missing Authorization