WordPress Plugin Vulnerabilities

LoginPress < 1.6.3 - Unauthenticated Settings Update

Description

The plugin does not have authorisation and CSRF checks when updating its Opt-In and Opt-Out tracking settings, which could allow any unauthenticated users to update them

Affects Plugins

Plugin icon
loginpress
Fixed in 1.6.3

References

CVE
CVE-2022-41839

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nguyen Anh Tien
Verified
No
WPVDB ID
8458a81d-446b-474f-9e78-426ed120adcb

Timeline

Publicly Published
2022-11-07 (about 3 years ago)
Added
2022-11-20 (about 3 years ago)
Last Updated
2022-11-20 (about 3 years ago)

Other

Published
Title
Published
2024-09-16
Title
WooCommerce Multilingual & Multicurrency < 5.3.7 - Missing Authorization
Published
2025-04-04
Title
AdMail – Multilingual Back in-Stock Notifier for WooCommerce <= 1.7.0 - Missing Authorization
Published
2025-03-06
Title
EventPrime – Events Calendar, Bookings and Tickets < 4.0.7.4 - Missing Authorization to Authenticated (Subscriber+) Event Attendees Export
Published
2026-03-07
Title
Elementor Website Builder < 3.35.6 - Missing Authorization
Published
2026-03-27
Title
Spectra < 2.19.23 - Contributor+ Missing Authorization