WordPress Plugin Vulnerabilities

FunnelKit Checkout < 3.11.0 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
woofunnels-aero-checkout
Fixed in 3.11.0

References

CVE
CVE-2023-51671
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9603e394-b358-4599-8610-ef5737a39de0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
179b46af-70bc-43ac-8676-fc7d1a554f81

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2026-03-26
Title
Smart Slider 3 < 3.5.1.34 - Subscriber+ Arbitrary File Read via actionExportAll
Published
2025-10-12
Title
ChatBot < 7.4.0 - Missing Authorization
Published
2025-03-27
Title
Trust.Reviews < 2.4 - Missing Authorization
Published
2025-04-10
Title
Customify <= 0.4.8 - Missing Authorization
Published
2026-01-12
Title
xSmart <= 1.2.9.4 - Missing Authorization