Bold Timeline Lite < 1.2.0 – Missing Authorization to Admin Notice Dismissal | CVE 2023-45110 | Plugin Vulnerabilities

Description

The Bold Timeline Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a logic error on the bold_timeline_wpdocs_this_screen function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss a plugin notice intended for administrators.

Affects Plugins

bold-timeline-lite

Fixed in 1.2.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9bbabf5e-dbfc-4b01-94ae-0e8fd6b3cc26

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

9856c6b8-769f-4ab8-89e9-d72b1de9e9f5

Timeline

Publicly Published

2023-10-06 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-05 (about 2 years ago)

Other

Published

Title

Published

2024-01-10

Title

EventON (Free < 2.2.9, Premium < 4.5.9) - Unauthenticated Virtual Event Settings Update

Published

2026-04-16

Title

WP Statistics < 14.16.5 - Subscriber+ Sensitive Information Exposure and Privacy Audit Manipulation

Published

2024-08-20

Title

Event Espresso 4 Decaf – Event Registration Event Ticketing < 5.0.22.decafdecaf- Authenticated (Subscriber+) Missing Authorization to Limited Plugin Settings Modification

Published

2025-01-24

Title

GoHero Store Customizer for WooCommerce < 4.0 - Missing Authorization to Unuthenticated Settings Update

Published

2023-09-18

Title

Super Store Finder < 6.9.4 - Unauthenticated Email Creation/Sending