WordPress Plugin Vulnerabilities

FunnelKit Checkout < 3.11.0 - Unauthenticated Arbitrary Content Deletion

Description

The FunnelKit Checkout plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on an unknown function in all versions up to, and including, 3.10.3. This makes it possible for unauthenticated attackers, to delete arbitrary content.

Affects Plugins

Plugin icon
woofunnels-aero-checkout
Fixed in 3.11.0

References

CVE
CVE-2023-51672
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c9d07faf-cc88-4233-a552-55e3376a2fc4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
34d43c26-d528-40c1-9765-9d11b69899e9

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-11-26
Title
Featured Post Creative < 1.5.6 - Missing Authorization
Published
2026-04-15
Title
Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action
Published
2026-04-23
Title
BetterDocs < 4.3.12 - Missing Authorization to Authenticated (Subscriber+) Unauthorized AI API Usage
Published
2025-02-23
Title
Strong Testimonials < 3.2.4 - Missing Authorization
Published
2024-05-15
Title
Tutor LMS Pro < 2.7.1 - Missing Authorization