WordPress Plugin Vulnerabilities

Wordapp <= 1.5.0 - Authorization Bypass via Insufficiently Unique Cryptographic Signature

Description

The plugin uses an insufficiently unique cryptographic signature in the wa_pdx_op_config_set function, which could allow an unauthenticated attacker to change the validation_token in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation.

Affects Plugins

Plugin icon
wordapp
No known fix

References

CVE
CVE-2023-2987
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wordapp/wordapp-150-authorization-bypass-through-use-of-insufficiently-unique-cryptographic-signature

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
30953a64-38e8-4bff-bbfe-be6c0541b66b

Timeline

Publicly Published
2023-05-30 (about 2 years ago)
Added
2023-05-31 (about 2 years ago)
Last Updated
2023-05-31 (about 2 years ago)

Other

Published
Title
Published
2020-02-26
Title
Export Users to CSV <= 1.4.2 - CSV Injection
Published
2025-07-13
Title
JetEngine < 3.7.1.1 - Contributor+ RCE via Server-Side Template Injection
Published
2018-08-16
Title
Export Users to CSV <= 1.1.1 - CSV Injection
Published
2025-02-17
Title
K Elements < 5.4.0 - Authentication Bypass
Published
2014-08-01
Title
WordPress 3.6 - Post Authorship Spoofing