WordPress Plugin Vulnerabilities

TextMe SMS < 1.9.1 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
textme-sms-integration
Fixed in 1.9.1

References

CVE
CVE-2023-48287
URL
https://patchstack.com/database/vulnerability/textme-sms-integration/wordpress-textme-sms-plugin-1-9-0-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (Medium)

Miscellaneous

Original Researcher
Arvandy
Verified
No
WPVDB ID
3c710657-ea21-4b37-ae46-46bb53f8ca8b

Timeline

Publicly Published
2023-11-23 (about 2 years ago)
Added
2023-11-28 (about 2 years ago)
Last Updated
2023-12-05 (about 2 years ago)

Other

Published
Title
Published
2024-06-18
Title
MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-12
Title
Clearfy Cache < 2.2.5 - Missing Authorization
Published
2026-01-14
Title
Raptive Ads <= 3.10.0 - Missing Authorization
Published
2025-01-24
Title
Avada < 7.11.11 - Missing Authorization
Published
2024-05-29
Title
Comparison Slider <= 1.0.5 - Missing Authorization