WordPress Plugin Vulnerabilities

Sur.ly <= 3.0.3 - Missing Authorization

Description

The Sur.ly plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
surly
No known fix

References

CVE
CVE-2025-23957
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/df7094e5-bccd-471c-8ba1-c8a6b145b957

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
644913e4-f212-483c-a4f0-3c25084b8590

Timeline

Publicly Published
2025-01-16 (about 1 year ago)
Added
2025-01-21 (about 1 year ago)
Last Updated
2025-01-21 (about 1 year ago)

Other

Published
Title
Published
2025-06-19
Title
Cookie-Script.com < 1.2.2 - Missing Authorization
Published
2024-04-05
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.0 - Unauthenticated Arbitrary File Download
Published
2025-08-14
Title
Easy Elementor Addons < 2.2.8 - Missing Authorization
Published
2022-12-23
Title
Events Made Easy < 2.3.17 - Subscriber+ Unauthorised AJAX Calls
Published
2025-04-24
Title
WP Customize Login Page <= 1.6.5 - Missing Authorization