Animator < 3.0.11 – Missing Authorization to Plugin Settings Update | CVE 2023-47689 | Plugin Vulnerabilities

Description

The Animator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sta_update_options() function in versions up to, and including, 3.0.10. This makes it possible for subscribers to modify the plugin's settings. Version 3.0.9 used to provide a nopriv action hook, which allowed unauthenticated individuals to perform this task.

Affects Plugins

scroll-triggered-animations

Fixed in 3.0.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f8457aeb-867b-4185-8271-a5452b7c5365

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Elliot

Verified

No

WPVDB ID

9401372f-74ff-448c-8aaf-58cfd6d72083

Timeline

Publicly Published

2023-11-09 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2023-09-18

Title

Super Store Finder < 6.9.4 - Unauthenticated Email Creation/Sending

Published

2025-08-21

Title

IDonatePro <= 2.1.9 - Missing Authorization

Published

2023-10-25

Title

WordPress CTA < 1.5.9 - Unauthenticated AJAX Actions Call

Published

2025-04-01

Title

GDPR Cookie Notice <= 1.2.0 - Missing Authorization

Published

2025-12-12

Title

MediaCommander – Bring Folders to Media, Posts, and Pages < 2.4.0 - Missing Authorization to Authenticated (Author+) Media Folder Deletion