WordPress Plugin Vulnerabilities

WP Accessibility Helper (WAH) < 0.6.2.5 - Missing Authorization via AJAX action

Description

The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to a missing capability check on the wah_update_attachment_title function in versions up to, and including, 0.6.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change attachment titles.

Affects Plugins

Plugin icon
wp-accessibility-helper
Fixed in 0.6.2.5

References

CVE
CVE-2023-41869
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b97b84a8-cf4e-4648-8d58-b81a71b7988c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (Medium)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
915526d5-7d0c-41e3-842a-8387dcd43176

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2026-03-04
Title
Fluent Forms Pro Add On Pack < 6.1.18 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion
Published
2025-12-31
Title
Direct Payments WP <= 1.3.0 - Missing Authorization
Published
2026-03-03
Title
Enable Media Replace < 4.1.8 - Author+ Arbitrary Attachment Change via Background Replace
Published
2023-06-15
Title
CHP Ads Block Detector < 3.9.8 - Subscriber+ Plugin Settings Update
Published
2025-09-10
Title
Salon Booking System < 10.24 - Missing Authorization to Unauthenticated AJAX Actions Execution