WordPress Plugin Vulnerabilities

VK Blocks < 1.57.1.0 - Contributor+ Settings Update via REST API

Description

The plugin uses improper authorization for the REST API vk-blocks/v1/update_vk_blocks_options, allowing users with a role as low as contributor to change plugin settings including default icons.

Affects Plugins

Plugin icon
vk-blocks
Fixed in 1.57.1.0

References

CVE
CVE-2023-0583
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vk-blocks/vk-blocks-15305-authenticatedcontributor-settings-update
URL
https://plugins.trac.wordpress.org/browser/vk-blocks/trunk/inc/vk-blocks/App/RestAPI/BlockMeta/class-vk-blocks-entrypoint.php

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
391e016e-66a1-400a-a783-713f03f291ee

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-03 (about 2 years ago)
Last Updated
2023-06-06 (about 2 years ago)

Other

Published
Title
Published
2024-06-20
Title
Solid Security < 9.3.2 - IP Address Spoofing to Denial of Service
Published
2021-08-31
Title
WooCommerce Dynamic Pricing & Discounts < 2.4.2 - Unauthenticated Settings Export
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated Post Meta Change to Arbitrary File Download
Published
2021-09-15
Title
Find My Blocks < 3.4.0 - Private Post Titles Disclosure
Published
2022-01-04
Title
Advanced Cron Manager - Subscriber+ Arbitrary Events/Schedules Creation/Deletion