WordPress Plugin Vulnerabilities

Dragfy Addons for Elementor <= 1.0.2 - Missing Authorization via save_settings

Description

The Dragfy Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings.

Affects Plugins

Plugin icon
dragfy-addons-for-elementor
No known fix

References

CVE
CVE-2023-47661
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7caaaaef-075b-44f6-8809-a02d5f034f26

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
a199b211-c6f7-450c-9071-4fa30e70ed8f

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-04-15
Title
Customer Reviews for WooCommerce < 5.47.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
Published
2022-11-09
Title
WPML < 4.5.11 - Subscriber+ Translation Job Status Update
Published
2024-06-03
Title
Upload Fields for WPForms <= 1.0.2 - Missing Authorization
Published
2024-03-15
Title
Word Replacer Pro <= 1.0 - Missing Authorization to Unauthenticated Arbitrary Content Update
Published
2025-12-12
Title
AnnunciFunebri Impresa < 4.7.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Deletion