WordPress Plugin Vulnerabilities

Simplr Registration Form Plus+ <= 2.4.5 - Subscriber+ Arbitrary User Password Change via IDOR

Description

The plugin is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts.

Affects Plugins

Plugin icon
simplr-registration-form
No known fix

References

CVE
CVE-2023-4213

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
5dfc5cb8-53bc-4106-93aa-fb7894ae6453

Timeline

Publicly Published
2023-09-12 (about 2 years ago)
Added
2023-09-14 (about 2 years ago)
Last Updated
2023-09-14 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Content Mask <= 1.8.5.3 - Authenticated (Author+) Insecure Direct Object Reference
Published
2022-12-02
Title
Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR
Published
2021-03-17
Title
BuddyPress < 7.2.1 - Invite Member to Join Group
Published
2025-12-02
Title
Projectopia <= 5.1.22 - Authenticated (Custom+) Insecure Direct Object Reference
Published
2025-12-01
Title
Contact Form Email < 1.3.61 - Unauthenticated Insecure Direct Object Reference