WordPress Plugin Vulnerabilities

WP Custom Admin Interface < 7.33 - Missing Authorization to Transients Deletion

Description

The WP Custom Admin Interface plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_custom_admin_interface_delete_transients function in versions up to, and including, 7.32. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to delete plugin transients.

Affects Plugins

Plugin icon
wp-custom-admin-interface
Fixed in 7.33

References

CVE
CVE-2023-44988
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/418b9138-9ae0-41f1-a75b-69cbcaffbb88

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (Medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
3b95d149-b3ab-4656-80e5-6cc90ca6750a

Timeline

Publicly Published
2023-09-29 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-24 (about 2 years ago)

Other

Published
Title
Published
2025-02-24
Title
DefendWP Firewall < 1.1.1 - Missing Authorization
Published
2025-01-16
Title
Goldstar <= 2.1.1 - Missing Authorization
Published
2025-01-16
Title
Copy Move Posts <= 1.6 - Missing Authorization
Published
2025-10-05
Title
Testimonial Slider <= 2.0.15 - Missing Authorization
Published
2024-07-04
Title
The Post Grid < 7.7.5 - Missing Authorization via AJAX