WordPress Plugin Vulnerabilities

BadgeOS <= 3.7.1.6 - Missing Authorization

Description

The BadgeOS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in versions up to, and including, 3.7.1.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions such as listing users

Affects Plugins

Plugin icon
badgeos
No known fix

References

CVE
CVE-2023-47647
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/515e62ba-c3b8-42d0-95e3-be347b8851a5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Elliot
Verified
No
WPVDB ID
8ada8449-32d7-499f-afce-b032c31cadf5

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-16
Title
Xola <= 1.6 - Missing Authorization
Published
2024-10-17
Title
WP REST API FNS <= 1.0.0 - Privilege Escalation
Published
2025-01-24
Title
Patreon WordPress < 1.9.2 - Missing Authorization
Published
2025-12-18
Title
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program < 2.9.7.2 - Missing Authorization to Sensitive Information Exposure
Published
2022-07-26
Title
Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending