WordPress Plugin Vulnerabilities

Surfer < 1.3.3.379 - Missing Authorization

Description

The Surfer plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on several functions, such as remove_post_draft_connection, check_draft_status, get_locations, get_ajax_surfer_connect_url, disconnect_surfer_from_wp, and check_connection_status called via AJAX actions in versions up to, and including, 1.3.2.357. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the connection details for the plugin and check the status details of posts.

Affects Plugins

Plugin icon
surferseo
Fixed in 1.3.3.379

References

CVE
CVE-2023-35037
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c06f9f6d-3cd0-4700-834b-435a99983453

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (Medium)

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
a99c7c15-e3c0-4b9d-bbff-4c322d576fc9

Timeline

Publicly Published
2023-09-01 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-30 (about 2 years ago)

Other

Published
Title
Published
2025-11-07
Title
Traveler <= 3.2.6 - Missing Authorization
Published
2025-12-07
Title
WooCommerce PDF Invoices & Packing Slips < 5.0.0 - Missing Authorization
Published
2025-10-07
Title
Chartify < 3.6.0 - Missing Authentication for Administrative Function
Published
2024-01-17
Title
Amelia < 1.0.99 - Missing Authorization
Published
2022-11-28
Title
Popup Manager <= 1.6.6 - Unauthenticated Arbitrary Popup Deletion