WordPress Plugin Vulnerabilities

Show-Hide / Collapse-Expand <= 1.2.5 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them. Furthermore, due to the lack of CSRF check, the issue is also exploitable via CSRF

Affects Plugins

Plugin icon
show-hidecollapse-expand
No known fix

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
76dc554f-e1e6-465b-8d61-536b963406fb

Timeline

Publicly Published
2023-01-04 (about 3 years ago)
Added
2023-06-06 (about 2 years ago)
Last Updated
2023-06-06 (about 2 years ago)

Other

Published
Title
Published
2025-01-30
Title
Ni Sales Commission For WooCommerce <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Commission Update
Published
2025-03-27
Title
Timetics < 1.0.30 - Missing Authorization
Published
2026-01-16
Title
Client Portal – Private user pages and login < 1.2.2 - Missing Authorization
Published
2026-02-05
Title
Checkout Gateway for IRIS < 1.4 - Missing Authorization
Published
2025-12-02
Title
Tiktok Feed < 1.0.24 - Missing Authorization