WordPress Plugin Vulnerabilities

Multiple Plugins from Inisev - Subscriber+ Plugin Installation

Description

Multiple plugins from the Inisev vendor are lacking authorisation in the handle_installation function hooked to the inisev_installation AJAX action, allowing any authenticated users, such as subscriber to install plugins from Inisev on the blog

Affects Plugins

Plugin icon
feedburner-alternative-and-rss-redirect
Fixed in 3.8
Plugin icon
ultimate-social-media-icons
Fixed in 2.8.2
Plugin icon
copy-delete-posts
Fixed in 1.4.0
Plugin icon
wp-clone-by-wp-academy
Fixed in 2.3.8
Plugin icon
enhanced-text-widget
Fixed in 1.5.8
Plugin icon
backup-backup
Fixed in 1.2.8
Plugin icon
redirect-redirection
Fixed in 1.1.4
Plugin icon
ultimate-posts-widget
Fixed in 2.2.5
Plugin icon
http-https-remover
Fixed in 3.2.4
Plugin icon
pop-up-pop-up
Fixed in 1.2.0
Plugin icon
ultimate-social-media-plus
Fixed in 3.5.8

References

CVE
CVE-2023-0958
CVE
CVE-2023-38514

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
29ac5a99-f7e1-4d09-b068-bb7f3ac9d1d3

Timeline

Publicly Published
2023-07-27 (about 2 years ago)
Added
2023-07-28 (about 2 years ago)
Last Updated
2023-07-28 (about 2 years ago)

Other

Published
Title
Published
2022-07-26
Title
Transposh WordPress Translation <= 1.0.8 - Subscriber+ Unauthorised Calls
Published
2025-01-24
Title
RomethemeKit For Elementor < 1.5.3 - Missing Authorization
Published
2025-12-31
Title
Tasty Recipes Lite < 1.1.6 - Missing Authorization
Published
2025-03-27
Title
Administrator Z < 2025.03.27 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-01-02
Title
Easy Social Feed < 6.5.3 - Subscriber+ Settings Update