WordPress Plugin Vulnerabilities

Page Builder by AZEXO <= 1.27.133 - Subscriber+ Post Creation

Description

The plugin does not properly authorize post creation in it's azh_add_post ajax action, allowing any authenticated users to create posts with any post type and status, even when that should not have this capability.

Affects Plugins

Plugin icon
page-builder-by-azexo
No known fix

References

CVE
CVE-2023-3053
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/page-builder-by-azexo/page-builder-by-azexo-127133-missing-authorization-to-post-creation

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
9f2a6cba-7a82-44d8-a419-0fccc0d95c4f

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-03 (about 2 years ago)
Last Updated
2023-06-03 (about 2 years ago)

Other

Published
Title
Published
2021-08-23
Title
OMGF < 4.5.4 - Subscriber+ Arbitrary File/Folder Deletion
Published
2021-08-23
Title
Timetable and Event Schedule by MotoPress < 2.4.2 - Unauthorised Event TimeSlot Update
Published
2025-01-16
Title
WP Hotel Booking < 2.1.6 - Missing Authorization
Published
2020-12-14
Title
Total Upkeep by BoldGrid < 1.14.10 - Unauthenticated Backup Download
Published
2023-10-16
Title
Templately < 2.2.6 - Unauthenticated Arbitrary Post Deletion