WordPress Plugin Vulnerabilities

WP Word Count <= 3.2.4 - Missing Authorization via calculate_statistics

Description

The WP Word Count plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the calculate_statistics function in versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger a "Calculate Word Counts" operation.

Affects Plugins

Plugin icon
wp-word-count
No known fix

References

CVE
CVE-2023-46628
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/55dfd822-9034-4982-bfe7-eb86119e1f07

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
46ea937b-4b19-44e7-9d12-f4644800ec47

Timeline

Publicly Published
2023-10-25 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-07-28
Title
Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function
Published
2025-01-24
Title
Super Block Slider < 2.8 - Missing Authorization
Published
2022-05-02
Title
Breeze < 2.0.3 - Subscriber+ Arbitrary Settings Update to Stored XSS
Published
2025-10-24
Title
MDTF < 1.3.4 - Missing Authorization
Published
2024-11-12
Title
Hide Links <= 1.4.2 - Unauthenticated Shortcode Execution