Headline Analyzer < 1.3.2 – Missing Authorization via REST APIs | CVE 2023-46195 | Plugin Vulnerabilities

Description

The Headline Analyzer plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions called via REST API endpoints in versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to retrieve and update headline post data as well as disconnect and connect an account for the plugin.

Affects Plugins

headline-analyzer

Fixed in 1.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a057ad05-0ed7-48c4-9dc1-0e7b1d3cb270

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Verified

No

WPVDB ID

5b2a0cb8-12d4-481b-9e14-6e368532ed06

Timeline

Publicly Published

2023-10-18 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-12 (about 2 years ago)

Other

Published

Title

Published

2024-07-26

Title

WooCommerce Product Table Lite < 3.8.6 - Missing Authorization to (Subscriber+) Stored Cross-Site Scripting

Published

2026-02-09

Title

YayCurrency < 3.3.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Published

2025-12-31

Title

Appender <= 1.1.1 - Missing Authorization

Published

2025-01-16

Title

Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

Published

2023-10-17

Title

Themify Ultra < 7.3.6 - Missing Authorization