Molongui < 4.7.4 – Missing Authorization | CVE 2023-50876 | Plugin Vulnerabilities

Description

The Molongui plugin for WordPress is vulnerable to unauthorized modification and access of data due to missing capability checks on the authorship_export_options() and authorship_save_options() functions hooked via AJAX in versions up to, and including, 4.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and modify plugin options.

Affects Plugins

molongui-authorship

Fixed in 4.7.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6f01ecab-2dfe-45d2-9d9a-ba1e30c7d75f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abu Hurayra (HurayraIIT)

Verified

No

WPVDB ID

9f3772b7-0a7e-4923-b7a2-c3cbf9bbea90

Timeline

Publicly Published

2023-12-26 (about 2 years ago)

Added

2024-01-04 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-01-29

Title

Instant Images < 6.1.1 - Author+ Arbitrary Options Update

Published

2024-07-08

Title

Happy SCSS Compiler - Compile SCSS to CSS automatically <= 1.3.10 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2024-04-26

Title

Save as PDF plugin by Pdfcrowd < 3.2.1 - Missing Authorization

Published

2025-12-15

Title

Webba Booking < 6.2.2 - Missing Authorization

Published

2025-04-16

Title

Bring Fraktguiden for WooCommerce < 1.11.5 - Missing Authorization