Super Socializer < 7.13.55 – Missing Authorization | CVE 2023-41802 | Plugin Vulnerabilities

Description

The Super Socializer plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions such as heateor_ss_twitcount_notification_read, heateor_ss_gdpr_notification_read, heateor_ss_fb_redirection_notification_read, heateor_ss_twitter_callback_notification_read, heateor_ss_linkedin_redirect_url_notification_read, heateor_ss_fb_count_notification_read, heateor_ss_twitter_new_callback_notification_read, and more in versions up to, and including, 7.13.54. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark messages as read

Affects Plugins

super-socializer

Fixed in 7.13.55

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/101dd211-c3eb-4d27-9194-841bc2a968e6

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

a137c69f-a495-458d-a7ed-491f17a88288

Timeline

Publicly Published

2023-09-05 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-12-04 (about 2 years ago)

Other

Published

Title

Published

2026-01-23

Title

LeadConnector < 3.0.22 - Missing Authorization

Published

2023-09-29

Title

Unyson <= 2.7.28 - Missing Authorization

Published

2025-12-15

Title

Sitewide Notice WP < 2.4.2 - Missing Authorization

Published

2025-07-16

Title

The Plus Addons for Elementor Pro < 6.3.7 - Missing Authorization

Published

2022-06-16

Title

BuddyPress Group Reviews < 2.8.4 - Subscriber+ Arbitrary Settings Update & Review Modification