Foyer <= 1.7.5 – Content Injection via Improper Access Control | CVE 2023-47663 | Plugin Vulnerabilities

Description

The Foyer – Digital Signage for WordPress plugin for WordPress is vulnerable to unauthorized content injection due to an insufficient capability check on the editing functionality in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with contributor access and above, to publish arbitrary content via slides.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/97344674-15df-45e6-9906-f21a9920a6e1

Classification

Type

CONTENT INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

8af6a384-f869-43e1-a57c-41e86bc5cce9

Timeline

Publicly Published

2023-11-07 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-11-24 (about 2 years ago)

Other

Published

Title

Published

2024-06-06

Title

PPOM for WooCommerce < 32.0.21 - Unauthenticated Content Injection Vulnerability

Published

2026-04-29

Title

Five Star Restaurant Reservations < 2.7.17 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter

Published

2025-11-21

Title

Subscriptions & Memberships for PayPal < 1.1.8 - Unauthenticated Fake Payment Creation

Published

2024-06-28

Title

Photo Gallery by Ays < 5.7.1 - Administrator+ HTML Injection

Published

2026-04-06

Title

Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More < 1.8.10 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook