WordPress Plugin Vulnerabilities

Mega Addons For WPBakery Page Builder <= 4.3.0 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
mega-addons-for-visual-composer
No known fix

References

CVE
CVE-2022-4501

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
Yes
WPVDB ID
43737a78-9eda-46c9-a603-af2af6e8eaee

Timeline

Publicly Published
2022-12-14 (about 3 years ago)
Added
2022-12-14 (about 3 years ago)
Last Updated
2023-05-04 (about 2 years ago)

Other

Published
Title
Published
2026-01-05
Title
Sugar Calendar (Lite) <= 3.10.1 - Missing Authorization
Published
2025-10-08
Title
Doppler Forms < 2.6.0 - Subscriber+ Limited Plugin Installation
Published
2025-04-08
Title
Site Notify <= 1.0 - Missing Authorization
Published
2023-05-19
Title
Groundhogg < 2.7.10 - Lack of Authorization for Non-Arbitrary File upload
Published
2024-04-15
Title
WPC Grouped Product for WooCommerce < 4.4.3 - Missing Authorization