WordPress Plugin Vulnerabilities

Custom Login < 4.1.1 - Subscriber+ Unauthorised Action

Description

The plugin does not have proper authorisation in an unknown function, allowing any authenticated attackers, such as subscribers, to perform an unauthorized action

Affects Plugins

Plugin icon
custom-login
Fixed in 4.1.1

References

CVE
CVE-2023-49858
URL
https://patchstack.com/database/vulnerability/custom-login/wordpress-custom-login-plugin-4-1-0-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
27c01465-ca00-4e82-953d-5f1610d5bc0f

Timeline

Publicly Published
2023-12-07 (about 2 years ago)
Added
2023-12-10 (about 2 years ago)
Last Updated
2023-12-15 (about 2 years ago)

Other

Published
Title
Published
2026-01-19
Title
Ecwid Shopping Cart < 7.0.6 - Missing Authorization
Published
2023-04-05
Title
WCFM Marketplace < 3.4.12 - Subscriber+ Unauthorised AJAX Calls
Published
2025-01-30
Title
Custom Login Page Styler < 7.1.2 - Missing Authorization to Authenticated (Subsciber+) Log Deletion and Session Termination
Published
2024-08-16
Title
Asset CleanUp: Page Speed Booster < 1.3.9.4 - Missing Authorization
Published
2024-05-15
Title
Visualizer: Tables and Charts Manager for WordPress < 3.11.0 - Missing Authorization to Arbitrary SQL Execution