WordPress Plugin Vulnerabilities

WP Custom Widget area <= 1.2.5 - Missing Authorization

Description

The WP Custom Widget area plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions corresponding to AJAX actions in versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to make use of functionality intended for users with higher privileges. This can lead to the deletion and modification of widgets and menus created using the plugin.

Affects Plugins

Plugin icon
wp-custom-widget-area
No known fix

References

CVE
CVE-2023-45045
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/64559d37-0c6b-45f5-8a2a-6e70cb5e423c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
58008c30-ad3f-4312-b045-cba6dd8ee287

Timeline

Publicly Published
2023-10-03 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-02 (about 2 years ago)

Other

Published
Title
Published
2023-11-27
Title
Participants Database < 2.5.6 - Missing Authorization
Published
2024-05-09
Title
Contact List – Easy Business Directory, Staff Directory and Address Book Plugin < 2.9.88 - Missing Authorization to Notice Dismissal
Published
2025-04-01
Title
RestroPress <= 3.2.4.2 - Missing Authorization
Published
2022-04-02
Title
Quick Adsense < 2.8.2 - Subscriber+ Post Stats Reset
Published
2025-12-12
Title
InstaWP Connect < 0.1.2.0 - Missing Authorization