WordPress Plugin Vulnerabilities

Essential Blocks for Gutenberg < 4.2.1 - Subscriber+ Unauthorised Actions

Description

The plugin does not have proper authorisation checks in various functions, allowing any authenticated users, such as subscribers to perform unauthorized actions.

Affects Plugins

Plugin icon
essential-blocks
Fixed in 4.2.1

References

CVE
CVE-2023-51360
URL
https://patchstack.com/database/vulnerability/essential-blocks/wordpress-essential-blocks-plugin-4-2-0-multiple-subscriber-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
6f15a510-e8ae-4caf-b406-da9fdc464e04

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2025-01-24
Title
RomethemeKit For Elementor < 1.5.3 - Missing Authorization
Published
2023-10-25
Title
WP EXtra < 6.3 - Missing Authorization to Arbitrary Email Sending
Published
2025-06-27
Title
Spreadconnect <= 2.1.5 - Missing Authorization
Published
2023-11-28
Title
Razorpay for WooCommerce < 4.5.7 - Subscriber+ Transfers Manipulation
Published
2024-01-17
Title
12 Step Meeting List < 3.14.29 - Subscriber+ CSV Download