WPGetAPI 2.1.0 – 2.2.1 – Authenticated (Subscriber+) Arbitrary Options Update | Plugin Vulnerabilities

Description

The WPGetAPI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_endpoints() function in versions 2.1.0 - 2.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options which can be leveraged for privilege escalation.

Affects Plugins

Fixed in 2.2.2

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/39003835-80df-49c7-982a-346bf328565c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

4be597d5-68e5-4a04-8d96-1ad50c26192b

Timeline

Publicly Published

2023-10-02 (about 2 years ago)

Added

2023-12-05 (about 2 years ago)

Last Updated

2024-01-01 (about 2 years ago)

Other

Published

Title

Published

2026-03-02

Title

VW Pet Shop < 1.4.8 - Missing Authorization

Published

2025-01-16

Title

Xola <= 1.6 - Missing Authorization

Published

2026-05-07

Title

PDF Poster – Display PDF Files with Custom Viewer < 2.5.0 - Missing Authorization

Published

2025-11-14

Title

Contest Gallery < 28.0.3 - Missing Authorization

Published

2026-01-16

Title

RepairBuddy < 4.1121 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders