WordPress Plugin Vulnerabilities

WRC Pricing Tables < 2.3.8 - Missing Authorization

Description

The WRC Pricing Tables plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on several functions including wrcpt_process_package_features, wrcpt_edit_pricing_packages, wrcpt_activate_template and others in versions up to, and including, 2.3.7. This makes it possible for unauthenticated attackers to make settings changes via nopriv AJAX actions. This plugin was further hardened with appropriate capability checks along-side the nonce checks in version 2.4 so we recommend updating to that version for optimal protection.

Affects Plugins

Plugin icon
wrc-pricing-tables
Fixed in 2.3.8

References

CVE
CVE-2023-32293
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/823dc422-12f4-4f7d-a305-2e4db18bafdf

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (Medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
2c460de4-db2a-4634-a564-356d4224145d

Timeline

Publicly Published
2023-09-04 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-03 (about 2 years ago)

Other

Published
Title
Published
2024-12-22
Title
Client Invoicing by Sprout Invoices – Easy Estimates and Invoices < 20.8.2 - Missing Authorization
Published
2026-03-02
Title
G5Plus April <= 6.8 - Missing Authorization
Published
2024-04-22
Title
InstaWP Connect < 0.1.0.25 - Missing Authorization
Published
2025-01-16
Title
Woo Tuner <= 0.1.2 - Missing Authorization
Published
2024-06-28
Title
Uncanny Toolkit Pro for LearnDash < 4.1.4.1 - Missing Authorization to Arbitrary Page/Post Duplication