Sharkdropship for AliExpress Dropship and Affiliate < 2.2.5 – Unauthenticated Settings & Products Update | CVE 2023-30870 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized access and modification of data due to missing capability checks on several functions called via nopriv AJAX actions in the ~/wooshark-aliexpress-importer_init.php file. This makes it possible for unauthenticated attackers to modify many of the plugin's settings and manipulate product details.

Affects Plugins

wooshark-aliexpress-importer

Fixed in 2.2.5

References

CVE

URL

https://patchstack.com/database/vulnerability/wooshark-aliexpress-importer/wordpress-sharkdropship-for-aliexpress-dropship-and-affiliate-plugin-2-2-3-multiple-broken-access-control-vulnerabilities

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

spacecroupier

Verified

No

WPVDB ID

44ec101e-ea8b-45d7-a2f5-32f618ab5e35

Timeline

Publicly Published

2023-10-03 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-03-29 (about 2 years ago)

Other

Published

Title

Published

2026-02-10

Title

JW Player for WordPress <= 2.3.7 - Missing Authorization

Published

2025-04-04

Title

6Storage Rentals <= 2.20.1 - Missing Authorization

Published

2024-02-27

Title

Redirects <= 1.2.1 - Missing Authorization via save

Published

2025-03-28

Title

Shipmondo – A complete shipping solution for WooCommerce < 5.0.4 - Missing Authorization to Authenticated (Customer+) Information Disclosure

Published

2024-07-11

Title

Plum: Spin Wheel & Email Pop-up <= 2.0 - Missing Authorization