WordPress Plugin Vulnerabilities

WP Shamsi < 4.2.0 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
wp-shamsi
Fixed in 4.2.0

References

CVE
CVE-2022-38058

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
a9960eed-93b4-4a94-abab-74f681698194

Timeline

Publicly Published
2022-09-05 (about 3 years ago)
Added
2022-09-15 (about 3 years ago)
Last Updated
2022-10-03 (about 3 years ago)

Other

Published
Title
Published
2024-03-25
Title
Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control
Published
2024-07-17
Title
Booking Ultra Pro < 1.1.14 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Updates
Published
2024-01-03
Title
Void Contact Form 7 Widget For Elementor Page Builder < 2.4 - Missing Authorization
Published
2025-11-18
Title
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings < 8.5.3 - Missing Authorization to Authenticated (Subscriber+) Data Export and Slug Update
Published
2025-10-04
Title
Export Categories <= 1.0 - Missing Authorization