WordPress Plugin Vulnerabilities

Instant CSS < 1.1.5 - Subscriber+ Unauthorised AJAX Calls

Description

The plugin does not have authorisation in various AJAX actions, allowing any authenticated users, such as subscriber to call them and modify/access theme and CSS data for example. It could also lead to Stored XSS issues.

Affects Plugins

Plugin icon
instant-css
Fixed in 1.1.5

References

CVE
CVE-2023-38483

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
3d89ab3e-848e-447b-91c0-d7d5d2e5b788

Timeline

Publicly Published
2023-07-24 (about 2 years ago)
Added
2023-10-12 (about 2 years ago)
Last Updated
2023-10-12 (about 2 years ago)

Other

Published
Title
Published
2022-09-14
Title
Disable User Login <= 1.0.2 - Unauthenticated Settings Update
Published
2025-01-16
Title
Contact Form 7 Anti Spambot <= 1.0.1 - Missing Authorization
Published
2025-09-22
Title
Website Chat Button: Kommo integration <= 1.3.1 - Missing Authorization
Published
2024-08-16
Title
Flash & HTML5 Video < 2.5.31 - Missing Authorization
Published
2024-10-14
Title
Leyka < 3.31.7 - Missing Authorization