WordPress Plugin Vulnerabilities

VK Blocks < 1.58.0.0 - Contributor+ Settings Update via REST API

Description

The plugin uses improper authorization for the REST API vk-blocks/v1/options/vk_font_awesome_version, allowing users with a role as low as contributor to change the vk_font_awesome_version option to an arbitrary value.

Affects Plugins

Plugin icon
vk-blocks
Fixed in 1.58.0.0

References

CVE
CVE-2023-0584
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/vk-blocks/vk-blocks-15705-authenticatedcontributor-settings-update
URL
https://plugins.trac.wordpress.org/browser/vk-blocks/trunk/inc/vk-blocks/font-awesome/class-vk-blocks-font-awesome-api.php

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
3a3485b0-f928-4a1e-8fc8-e090e7880337

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-03 (about 2 years ago)
Last Updated
2023-06-19 (about 2 years ago)

Other

Published
Title
Published
2021-07-07
Title
WP Upload Restriction < 2.2.5 - Missing Access Control in deleteCustomType
Published
2025-07-03
Title
DocCheck Login < 1.1.6 - Unauthorized Post Access
Published
2024-03-04
Title
Maintenance Mode < 3.0.2 - Unauthenticated Post/Page Content Disclosure
Published
2024-03-01
Title
Avada < 7.11.6 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Post/Page Deletion