WordPress Plugin Vulnerabilities

IMPress Listings <= 2.6.2 - Missing Authorization

Description

The IMPress Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to perform unauthorized actions.

Affects Plugins

Plugin icon
wp-listings
No known fix

References

CVE
CVE-2023-45633
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f426c32e-a376-4447-b83f-409a8eb0c499

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Nguyen Anh Tien
Verified
No
WPVDB ID
624095b2-ca58-4a65-9953-dab43ae78cef

Timeline

Publicly Published
2023-10-11 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-10 (about 2 years ago)

Other

Published
Title
Published
2024-07-19
Title
CTX Feed < 6.5.7 - Shop Manager+ Arbitrary Options Update
Published
2025-10-02
Title
SiteAlert (Formerly WP Health) <= 1.9.8 - Missing Authorization to Unauthenticated Site Health Information Exposure
Published
2025-07-28
Title
Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function
Published
2026-02-18
Title
Mesmerize Companion < 1.6.162 - Missing Authorization Authenticated (Subscriber+) Settings Update
Published
2025-01-07
Title
The Ultimate WordPress Toolkit – WP Extended < 3.0.12 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting