WordPress Plugin Vulnerabilities

BulkGate SMS Plugin for WooCommerce < 3.0.3 - Missing Authorization via Multiple AJAX Actions

Description

The BulkGate SMS Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to save module settings among other actions.

Affects Plugins

Plugin icon
woosms-sms-module-for-woocommerce
Fixed in 3.0.3

References

CVE
CVE-2023-51679
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93e590f8-5f8d-4ee5-bcff-96bcb8daf4b7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
7a39ca32-4da1-419d-9b9d-855cd9303ac5

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-09-04
Title
Booking for Appointments and Events Calendar – Amelia Premium <= 7.7 and Lite < 1.2.5 - Missing Authorization to Sensitive Information Exposure
Published
2024-03-19
Title
Advanced Classifieds & Directory Pro < 3.1.2 - Missing Authorization to Arbitrary Attachment Deletion
Published
2024-06-27
Title
Progress Planner < 0.9.2 - Missing Authorization
Published
2025-05-16
Title
Element Pack Pro < 8.0.0 - Missing Authorization
Published
2025-12-31
Title
Custom Admin Interface < 7.41 - Missing Authorization