WordPress Plugin Vulnerabilities

Optimize Database after Deleting Revisions < 5.1 - Missing Authorization via 'odb_csv_download'

Description

The Optimize Database after Deleting Revisions plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 5.0.110. This is due to a missing capability check on the 'odb_csv_download' function which is hooked via admin_init. This makes it possible for unauthenticated attackers to trigger a download of the plugin's data.

Affects Plugins

Plugin icon
rvg-optimize-database
Fixed in 5.1

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/09050c1e-26e0-46e7-b5f0-ebaff4066b0a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
1bf13d2a-9492-4f90-9ece-e5da5b132476

Timeline

Publicly Published
2023-10-03 (about 2 years ago)
Added
2023-12-07 (about 2 years ago)
Last Updated
2023-12-07 (about 2 years ago)

Other

Published
Title
Published
2023-09-05
Title
Slider Pro < 4.8.7 - Missing Authorization via AJAX actions
Published
2024-10-24
Title
Image Map Pro < 6.0.21 - Missing Authorization to Authenticated (Contributor+) Map Project Add/Update/Delete
Published
2025-01-16
Title
Xola <= 1.6 - Missing Authorization
Published
2024-11-20
Title
Multiple Themes - Authenticated (Subscriber+) Arbitrary Plugin Activation and Deactivation
Published
2024-03-29
Title
SP Project & Document Manager <= 4.70 - Missing Authorization Stored Cross-Site Scripting