WordPress Plugin Vulnerabilities

WP Cleanfix < 5.7.0 - Subscriber+ Post/Comment/Post Meta Content Replacement

Description

The plugin is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the register function, allowing authenticated attackers, with subscriber-level access and above, to find and replace post, comment, and postmeta content as well as compacting the database.

Affects Plugins

Plugin icon
wp-cleanfix
Fixed in 5.7.0

References

CVE
CVE-2023-48775
URL
https://patchstack.com/database/vulnerability/w3speedster-wp/wordpress-w3speedster-plugin-7-19-cross-site-request-forgery-csrf-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
63a38246-77fd-4ef4-a09a-2dfe7efe2380

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-03-21 (about 2 years ago)

Other

Published
Title
Published
2024-04-22
Title
Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! < 2.1.3 - Missing Authorization to Subscriber+ Arbitrary Post Creation
Published
2026-04-28
Title
Booking for Appointments and Events Calendar – Amelia < 2.2.1 - Missing Authorization
Published
2026-01-09
Title
Proxy & VPN Blocker < 3.5.4 - Missing Authorization
Published
2024-10-25
Title
Download Monitor < 5.0.13 - Missing Authorization to API Key Manipulation
Published
2024-06-03
Title
WP EasyCart < 5.6.0 - Missing Authorization