Premmerce User Roles < 1.0.13 – Missing Authorization via role management functions | CVE 2023-41130 | Plugin Vulnerabilities

Description

The Premmerce User Roles plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to missing capability and nonce checks on the 'createRole', 'updateRole', and 'deleteRole' functions in versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to create, modify, and delete custom roles.

Affects Plugins

premmerce-user-roles

Fixed in 1.0.13

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f53cd4a3-a6db-42c2-b4d8-218071c4bcd4

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

No

WPVDB ID

38ab74f3-21ad-4e87-88b7-4b909ee4cf57

Timeline

Publicly Published

2023-08-24 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-11-23 (about 2 years ago)

Other

Published

Title

Published

2024-04-16

Title

Popup Anything < 2.8.1 - Missing Authorization

Published

2024-04-25

Title

Sticky Anything <= 2.1.5 - Missing Authorization

Published

2024-06-11

Title

Newsletter - API v1 and v2 addon for Newsletter < 2.4.6 - Missing Authorization to Email Subscribers Management

Published

2025-12-23

Title

e-xact-hosted-payment <= 2.0 - Unauthenticated Arbitrary File Deletion

Published

2025-12-31

Title

Advanced PDF <= 1.1.7 - Missing Authorization