WordPress Plugin Vulnerabilities

EmbedPress < 3.8.3 - Subscriber+ Plugin Settings Delete

Description

The plugin does not properly authorize access to its admin_post_remove and remove_private_data actions, allowing low privileged users (such as subscribers) to delete plugin settings.

Affects Plugins

Plugin icon
embedpress
Fixed in 3.8.3

References

CVE
CVE-2023-4282
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/embedpress/embedpress-382-missing-authorization-to-authenticated-subscriber-plugin-settings-delete-via-admin-post-remove-and-remove-private-data

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
8e5b3e67-7640-48a0-b1e0-c118eb9de8d8

Timeline

Publicly Published
2023-08-09 (about 2 years ago)
Added
2023-08-10 (about 2 years ago)
Last Updated
2023-08-10 (about 2 years ago)

Other

Published
Title
Published
2025-05-15
Title
Tours < 1.0.1 - Missing Authorization
Published
2025-12-31
Title
Watcher for Elementor <= 1.0.9 - Missing Authorization
Published
2025-03-25
Title
Ultimate Dashboard < 3.8.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation
Published
2025-01-16
Title
WP Journal <= 1.1 - Missing Authorization
Published
2026-01-20
Title
Scalenut <= 1.1.3 - Missing Authorization