WooODT Lite < 2.4.7 – Missing Authorization to Arbitrary Options Update | CVE 2023-47179 | Plugin Vulnerabilities

Description

The WooODT Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the byconsolewooodt_admin_fields_setting_files() function hooked via AJAX in versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify arbitrary site options which can easily be leveraged for privilege escalation.

Affects Plugins

byconsole-woo-order-delivery-time

Fixed in 2.4.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9939f297-e3ca-4d7d-9acd-c416ee2014c9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

7034ff9e-ed61-4316-95e9-7d1994f3ad74

Timeline

Publicly Published

2023-10-31 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-12-05

Title

Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update

Published

2024-12-02

Title

Church Admin < 5.0.9 - Missing Authorization

Published

2023-11-27

Title

Yet Another Stars Rating < 3.4.4 - Missing Authorization via init

Published

2025-12-12

Title

Ultimate Auction <= 4.3.2 - Missing Authorization

Published

2024-04-09

Title

Post Type Builder < 2.1.4 - Subscriber+ Arbitrary Post/Page Creation