WordPress Plugin Vulnerabilities

Mark Posts < 2.2.5 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on a function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
mark-posts
Fixed in 2.2.5

References

CVE
CVE-2025-23963
URL
https://patchstack.com/database/wordpress/plugin/mark-posts/vulnerability/wordpress-mark-posts-plugin-2-2-3-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
2358418c-39a7-42e0-9aae-06cc75632157

Timeline

Publicly Published
2025-01-16 (about 1 year ago)
Added
2025-01-21 (about 1 year ago)
Last Updated
2025-01-27 (about 1 year ago)

Other

Published
Title
Published
2025-11-30
Title
Stylish Price List < 7.2.3 - Missing Authorization
Published
2026-01-20
Title
The Events Calendar < 6.15.13.1 - Subscriber+ Data Migration Control
Published
2024-08-28
Title
Login As Users < 1.4.4 - Missing Authorization to Privielge Escalation via Account Takeover
Published
2024-06-06
Title
WooCommerce Dropshipping <= 5.1.2 - Unauthenticated Arbitrary Email Send
Published
2026-02-18
Title
BackWPup < 5.6.3 - BackWPup Helper+ Privilege Escalation via Arbitrary Options Update