User Shortcodes Plus <= 2.0.2 – Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode | CVE 2023-6969 | Plugin Vulnerabilities

Description

The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive user meta.

Affects Plugins

user-shortcodes-plus

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/76a0a87a-dff0-4a51-bad0-8868c342ecde

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

582a1375-4126-4862-b89d-4d960e68f666

Timeline

Publicly Published

2024-02-26 (about 2 years ago)

Added

2024-02-26 (about 2 years ago)

Last Updated

2024-02-26 (about 2 years ago)

Other

Published

Title

Published

2025-11-26

Title

QODE Wishlist for WooCommerce < 1.2.8 - Unauthenticated Insecure Direct Object Reference to Wishlist Update

Published

2025-08-15

Title

School Management <= 93.1.0 - Unauthenticated Insecure Direct Object Reference

Published

2025-12-05

Title

Fluent Forms < 6.1.8 - Unauthenticated Payment Status Tampering via IDOR

Published

2023-09-12

Title

wpDiscuz < 7.6.4 - Post Rating Increase/Decrease iva IDOR

Published

2026-03-11

Title

WpStream < 4.11.2 - Authenticated (Subscriber+) Insecure Direct Object Reference