Product Recommendation Quiz for eCommerce < 2.1.2 – Missing Authorization in prq_set_token | CVE 2023-46631 | Plugin Vulnerabilities

Description

The Product Recommendation Quiz for eCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the prq_set_token function in versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to modify plugin settings via a request to the 'settoken' REST API endpoint.

Affects Plugins

product-recommendation-quiz-for-ecommerce

Fixed in 2.1.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f10ae2b6-1580-418c-9cf7-e75ed71bb309

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Verified

No

WPVDB ID

451ee486-bbd5-40b0-84a1-8835dd24ed5a

Timeline

Publicly Published

2023-10-25 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-12-22

Title

Client Invoicing by Sprout Invoices – Easy Estimates and Invoices < 20.8.2 - Missing Authorization

Published

2025-02-17

Title

Affiliate Links: WordPress Plugin for Link Cloaking and Link Management < 3.1.0 - Missing Authorization to Unauthenticated Import/Export and PHP Object Injection

Published

2025-08-13

Title

Netease Music <= 3.2.1 - Missing Authorization

Published

2026-01-29

Title

Echo Knowledge Base – Documentation, FAQs, AI Chat & AI Search < 16.20.0 - Missing Authorization

Published

2025-01-31

Title

WordPress Contact Forms by Cimatti < 1.9.5 - Missing Authorization to Unauthenticated Form Submission Download