WordPress Plugin Vulnerabilities

Simple Org Chart < 2.3.5 - Unauthenticated Tree Settings Update

Description

The plugin does not have authorisation when updating its Tree settings, which could allow unauthenticated attackers to change them

Affects Plugins

Plugin icon
simple-org-chart
Fixed in 2.3.5

References

CVE
CVE-https://patchstack.com/database/wordpress/plugin/simple-org-chart/vulnerability/wordpress-simple-org-chart-plugin-2-3-4-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
8b6f8690-e8c0-4f1d-adef-a0dbc0db9de4

Timeline

Publicly Published
2023-08-17 (about 2 years ago)
Added
2023-10-12 (about 2 years ago)
Last Updated
2025-05-08 (about 1 year ago)

Other

Published
Title
Published
2023-02-07
Title
Wicked Folders < 2.18.17 - Subscriber+ Folder Structure Update
Published
2026-02-19
Title
iZooto <= 3.7.20 - Missing Authorization
Published
2025-06-05
Title
Hive Support < 1.2.6 - Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox
Published
2025-12-15
Title
Animation Addons for Elementor < 2.4.6 - Authenticated (Contributor+) Arbitrary Content Deletion
Published
2026-02-14
Title
Ultimate Review <= 2.3.9 - Missing Authorization