WordPress Plugin Vulnerabilities

Secure Admin IP <= 2.0 - Missing Authorization via 'saveSettings'

Description

The Secure Admin IP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveSettings' function that runs on 'admin_init' in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to modify the plugin's settings.

Affects Plugins

Plugin icon
secure-admin-ip
No known fix

References

CVE
CVE-2023-41133
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a0f38af7-7753-4dbe-a4fd-e9a01785dd13

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (Medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
57bb0eba-532b-49a3-b2ae-6172108fe0cb

Timeline

Publicly Published
2023-08-24 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-23 (about 2 years ago)

Other

Published
Title
Published
2025-11-03
Title
Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One 2.0.7 - 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Post Creation
Published
2026-02-09
Title
Bakes And Cakes < 1.3.0 - Missing Authorization
Published
2026-01-17
Title
Premium Addons for Elementor < 4.11.64 - Subscriber+ Settings Update
Published
2026-01-13
Title
Bayarcash WooCommerce < 4.3.14 - Missing Authorization
Published
2024-02-27
Title
Page Restriction WordPress (WP) < 1.3.5 - Unauthenticated Protected Post Access