WordPress Plugin Vulnerabilities

All Users Messenger <= 1.24 - Subscriber+ Message Deletion via IDOR

Description

The plugin does not prevent non-administrator users from deleting messages from the all-users messenger.

Proof of Concept

Affects Plugins

Plugin icon
all-users-messenger
No known fix

References

CVE
CVE-2023-4023
URL
https://blog.cleantalk.org/cve-2023-4023-all-users-messenger/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://blog.cleantalk.org
Verified
Yes
WPVDB ID
682c0226-28bd-4051-830d-8b679626213d

Timeline

Publicly Published
2023-08-07 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-30
Title
Typer Core <= 1.9.6 - Authenticated (Contributor+) Post Disclosure
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Poll Limit Bypass
Published
2025-07-30
Title
Motors < 1.4.81 - Unauthenticated Insecure Direct Object Reference
Published
2024-11-11
Title
Futurio Extra < 2.0.14 - Authenticated (Contributor+) Post Disclosure
Published
2022-08-01
Title
WPQA < 5.7 - Subscriber+ Private Message Disclosure via IDOR