WordPress Plugin Vulnerabilities

LadiApp <= 4.4 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access of data, modification of data, or loss of data due to a missing capability check on an unknown function This makes it possible for authenticated attackers, with subscriber-level access and above, to make use of the unprotected functionality.

Affects Plugins

Plugin icon
ladipage
No known fix

References

CVE
CVE-2023-49158
URL
https://patchstack.com/database/vulnerability/ladipage/wordpress-ladiapp-plugin-4-3-broken-access-control-lead-to-xss-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Truoc Phan
Verified
No
WPVDB ID
103908d2-670f-425d-8473-515438efc1c9

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-01-08 (about 2 years ago)

Other

Published
Title
Published
2021-11-10
Title
WP Reset Pro < 5.99 - Subscriber+ Database Reset
Published
2024-04-22
Title
WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.1 - Missing Authorization
Published
2024-01-05
Title
LightStart < 2.6.9 - Subscriber+ Page design Update
Published
2022-01-12
Title
Ibtana < 1.1.4.9 - Subscriber+ Settings Update to Stored XSS
Published
2024-11-25
Title
Hustle – Email Marketing, Lead Generation, Optins, Popups < 7.8.6 - Missing Authorization to Unpublished Form Exposure