WordPress Plugin Vulnerabilities

avalex – Automatisch sichere Rechtstexte < 3.0.9 - Missing Authorization

Description

The plugin is vulnerable to unauthorized modifcation of data due to a missing capability check on the saveApiKey() function hooked via admin_init in all versions up to, and including, 3.0.8. This makes it possible for unauthenticated attackers to modify the API key for the plugin.

Affects Plugins

Plugin icon
avalex
Fixed in 3.0.9

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7319293e-f921-46d1-aea6-2578d1a251a7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
63138ffa-b4e6-4d8f-851d-0dbeed8ea0bb

Timeline

Publicly Published
2023-11-14 (about 2 years ago)
Added
2024-01-17 (about 2 years ago)
Last Updated
2024-01-17 (about 2 years ago)

Other

Published
Title
Published
2025-12-31
Title
Headinger for Elementor <= 1.1.4 - Missing Authorization
Published
2024-12-10
Title
RapidLoad – Optimize Web Vitals Automatically < 2.4.3 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection
Published
2025-02-03
Title
Slide Banners <= 1.3 - Missing Authorization
Published
2023-12-27
Title
AI Power: Complete AI Pack – Powered by GPT-4 < 1.8.3 - Missing Authorization to Sensitive Data Exposure
Published
2024-07-23
Title
Social Auto Poster < 5.3.15 - Missing Authorization via Multiple Functions