WordPress Plugin Vulnerabilities

LightStart < 2.6.9 - Subscriber+ Page design Update

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the insert_template function, allowing authenticated attackers, with subscriber-level access and above, to change page designs.

Affects Plugins

Plugin icon
wp-maintenance-mode
Fixed in 2.6.9

References

CVE
CVE-2023-7019
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b57d3d1d-dcdb-4f11-82d8-183778baa075

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
20d2ff44-f919-4af8-a18b-c796150c4ff3

Timeline

Publicly Published
2024-01-05 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2025-11-03
Title
Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Published
2025-05-30
Title
Woo Slider Pro <= 1.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2025-01-03
Title
Allada T-shirt Designer for Woocommerce <= 1.1 - Missing Authorization
Published
2025-12-16
Title
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent < 4.0.8 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
Published
2025-09-11
Title
Rank Math SEO < 1.0.253 - Missing Authorization