WordPress Plugin Vulnerabilities

Checkout Mestres WP < 7.1.9.8 - Missing Authorization to Unauthenticated Arbitrary Options Update

Description

The Checkout Mestres WP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 7.1.9.6. This makes it possible for unauthenticated attackers to update arbitrary site options.

Affects Plugins

Plugin icon
checkout-mestres-wp
Fixed in 7.1.9.8

References

CVE
CVE-2023-51471
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8a52bf70-667b-400f-8912-75fae20a3f5b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
189ed2b9-10f8-46ec-893d-cbfce22d69ab

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-02-02 (about 2 years ago)

Other

Published
Title
Published
2022-11-28
Title
WP Shamsi < 4.1.1 - Unauthenticated Arbitrary Plugin Deactivation
Published
2026-02-21
Title
Diet Calorie Calculator <= 1.1.1 - Missing Authorization
Published
2025-07-03
Title
WC Pickup Store < 1.8.10 - Unauthenticated Settings Update
Published
2024-07-26
Title
Tutor LMS – Migration Tool <= 2.2.2 - Missing Authorization in tutor_lp_export_xml
Published
2025-10-31
Title
Qi Blocks < 1.4.4 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update