WordPress Plugin Vulnerabilities

Buy Me a Coffee – Button and Widget Plugin < 3.8 - Subscriber+ Unauthorized Data Modification

Description

The plugin does not perform capability checks on certain functions, allowing users with minimal permissions, such as subscribers, to modify the plugin's settings.

Affects Plugins

Plugin icon
buymeacoffee
Fixed in 3.8

References

CVE
CVE-2023-2078
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c1c218c6-1599-4dc9-846f-e0ef74821488

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.3 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
808022b9-f61a-495d-81a7-d486795f6fa4

Timeline

Publicly Published
2023-07-10 (about 2 years ago)
Added
2023-07-11 (about 2 years ago)
Last Updated
2023-07-11 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
Shiptimize for WooCommerce <= 3.1.86 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2026-03-23
Title
Vertex Addons for Elementor < 1.7.0 - Missing Authorization
Published
2025-11-12
Title
Online Booking & Scheduling Calendar for WordPress by vcita < 4.6.0 - Missing Authorization
Published
2023-02-27
Title
ProfileGrid < 5.3.1 - Subscriber+ Arbitrary Password Reset
Published
2025-04-15
Title
JetMenu < 2.4.9.1 - Missing Authorization