WordPress Plugin Vulnerabilities

Easy Social Feed < 6.5.3 - Subscriber+ Settings Update

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's Facebook and Instagram access tokens and updating group IDs.

Affects Plugins

Plugin icon
easy-facebook-likebox
Fixed in 6.5.3

References

CVE
CVE-2023-6883
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3deee9b5-2e36-447d-a492-e22e3dc6a5ab

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
5de1c34b-0d16-4b55-86b6-23f5d4e77a49

Timeline

Publicly Published
2024-01-02 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2026-03-14
Title
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration < 4.2.9 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter
Published
2023-11-14
Title
Legal Pages < 1.3.9 - Missing Authorization
Published
2024-04-23
Title
Page Builder: Live Composer < 1.5.39 - Missing Authorization
Published
2024-05-10
Title
WC Serial Numbers < 2.1.1 - Missing Authorization
Published
2025-01-07
Title
Post SMTP < 2.9.12 - Missing Authorization via regenerate_qrcode()