WordPress Plugin Vulnerabilities

Draw Attention < 2.0.16 - Improper Access Control via register_cpt

Description

The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due improper capability mapping on the register_cpt function in versions up to, and including, 2.0.15. This makes it possible for authenticated attackers, with contributor-level access and above, to edit other user's Draw Attention posts.

Affects Plugins

Plugin icon
draw-attention
Fixed in 2.0.16

References

CVE
CVE-2023-46616
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5d635669-ee85-4fb5-8238-3edb3bbb8fb4

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
5352988b-d2bf-4f44-8166-fe7b0b2efe81

Timeline

Publicly Published
2023-10-24 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated Post Meta Change to Arbitrary File Download
Published
2022-05-18
Title
JupiterX Core < 2.0.7 - Information Disclosure, Modification, and Denial of Service
Published
2021-09-01
Title
Gutenberg Template Library & Redux Framework < 4.2.13 - Contributor+ Arbitrary Plugin Installation and Post Deletion
Published
2024-02-27
Title
Under Construction / Maintenance Mode from Acurax <= 2.6 - Information Exposure
Published
2021-10-11
Title
Post Expirator < 2.6.0 - Contributor+ Arbitrary Post Schedule Deletion