WordPress Plugin Vulnerabilities

Easy Social Icons < 3.2.5 - Missing Authorization via cnss_save_ajax_order

Description

The Easy Social Icons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cnss_save_ajax_order function in versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the order of social icons.

Affects Plugins

Plugin icon
easy-social-icons
Fixed in 3.2.5

References

CVE
CVE-2023-33998
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c3bdc0c4-34fb-43cc-ba2b-340347bca146

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Anh Tien
Verified
No
WPVDB ID
15eb20b5-2f2b-41db-bd3b-014f899666cd

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-04-02
Title
WooTumblog <= 2.1.4 - Missing Authorization to Unauthenticated Content Injection
Published
2024-12-17
Title
Traveler < 3.1.7 - Missing Authorization in Several AJAX Actions
Published
2025-01-16
Title
Email Capture & Lead Generation <= 1.0.2 - Missing Authorization
Published
2025-12-07
Title
WooCommerce PDF Invoices & Packing Slips < 5.0.0 - Missing Authorization
Published
2026-02-18
Title
Aruba HiSpeed Cache < 3.0.5 - Missing Authorization