WordPress Plugin Vulnerabilities

Social Warfare < 4.3.1 - Subscriber+ Post Meta Deletion

Description

The plugin does not have authorisation in some AJAX actions, allowing any authenticated users, such as subscriber, to call them and delete arbitrary post meta as well as reset access tokens related to network

Affects Plugins

Plugin icon
social-warfare
Fixed in 4.3.1

References

CVE
CVE-2023-0402

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
5116068f-4b84-42ad-a88d-03e46096b41c

Timeline

Publicly Published
2023-01-05 (about 3 years ago)
Added
2023-01-19 (about 3 years ago)
Last Updated
2023-01-19 (about 3 years ago)

Other

Published
Title
Published
2025-08-15
Title
School Management <= 93.2.0 - Missing Authorization
Published
2026-02-05
Title
Checkout Gateway for IRIS < 1.4 - Missing Authorization
Published
2025-07-18
Title
Vchasno Kasa < 1.0.4 - Unauthenticated Log File Clearing
Published
2025-10-30
Title
The Events Calendar < 6.15.10 - Subscriber+ Draft Event Title/QR Code Exposure
Published
2025-06-19
Title
WooCommerce Manager – Customize and Control Cart page, Add to Cart button, Checkout fields easily <= 1.2.4.5 - Missing Authorization