Visitors Traffic Real Time Statistics < 7.3 – Missing Authorization via multiple AJAX actions | CVE 2023-47557 | Plugin Vulnerabilities

Description

The Visitors Traffic Real Time Statistics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 7.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to view visitor statistics.

Affects Plugins

visitors-traffic-real-time-statistics

Fixed in 7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f4aac424-abf3-4d6c-a0a4-a95e2cf89864

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

7aa85346-f20a-4a8a-9105-ed4d9bb59344

Timeline

Publicly Published

2023-11-07 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2024-03-12 (about 2 years ago)

Other

Published

Title

Published

2026-01-05

Title

MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.7.7 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion

Published

2025-01-06

Title

Infility Global < 2.9.9 - Subscriber+ Plugin Settings Update

Published

2025-01-03

Title

Nexter Blocks < 4.0.8 - Missing Authorization

Published

2025-10-14

Title

WPBifröst – Instant Passwordless Temporary Login Links < 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Published

2025-03-04

Title

Sparkling < 2.4.10 - Missing Authorization to Unauthenticated Arbitrary Plugin Activation/Deactivation