WordPress Plugin Vulnerabilities

Booster Elite for WooCommerce < 7.1.3 - Subscriber+ Content Injection

Description

The Booster Elite for WooCommerce plugin for WordPress is vulnerable to content injection via an unknown parameter in all versions up to and including 7.1.2 due to insufficient capability checks. This makes it possible for authenticated attackers, with subscriber access and above, to create and edit content using the plugin.

Affects Plugins

Plugin icon
booster-elite-for-woocommerce
Fixed in 7.1.3

References

CVE
CVE-2023-51511
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/995a086a-4795-4092-823c-b941445dc361

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
14901868-7551-490a-b975-e44675ad2a19

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-04 (about 2 years ago)

Other

Published
Title
Published
2021-01-12
Title
WP Quick FrontEnd Editor <= 5.5 - Authenticated Content Injection
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Content Injection
Published
2026-04-29
Title
Five Star Restaurant Reservations < 2.7.17 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter
Published
2024-06-27
Title
WooCommerce < 9.0.0 - Shop Manager+ Content Injection
Published
2024-03-19
Title
WooCommerce POS < 1.4.12 - Insufficient Verification of Data Authenticity to Authenticated (Customer+) Information Disclosure