WordPress Plugin Vulnerabilities

BadgeOS <= 3.7.1.6 - Missing Authorization in delete_badgeos_log_entries

Description

The plugin does not properly authorize requests on the delete_badgeos_log_entries function, allowing attackers with Subscriber permissions and higher to delete the plugin's log entries.

Affects Plugins

Plugin icon
badgeos
No known fix

References

CVE
CVE-2023-2174

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
51b86170-48bb-4083-877d-a445cf590a8d

Timeline

Publicly Published
2023-07-05 (about 2 years ago)
Added
2023-08-31 (about 2 years ago)
Last Updated
2023-08-31 (about 2 years ago)

Other

Published
Title
Published
2023-11-16
Title
wpMandrill <= 1.33 - Missing Authorization via getAjaxStats
Published
2024-10-11
Title
Bridge Core < 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Demo Import
Published
2026-02-25
Title
DEPART < 1.0.8 - Missing Authorization
Published
2025-07-16
Title
Residential Address Detection < 2.5.10 - Missing Authorization
Published
2025-07-30
Title
TheBooking <= 1.4.4 - Missing Authorization