WordPress Plugin Vulnerabilities

WP Directory Kit < 1.2.7 - Missing Authorization

Description

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on one of its functions in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to make use of functionality intended for users with higher access levels.

Affects Plugins

Plugin icon
wpdirectorykit
Fixed in 1.2.7

References

CVE
CVE-2023-41875
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/60083262-198d-4a7d-bb0a-717a744e20f9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (Medium)

Miscellaneous

Original Researcher
Debangshu Kundu, Arpeet Rathi
Verified
No
WPVDB ID
aa6da9f6-c739-4c78-8cac-0cf58078bfbf

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2026-02-22
Title
Directorist < 8.6.1 - Missing Authorization
Published
2026-01-05
Title
TaxoPress < 3.42.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification
Published
2024-02-27
Title
Page Duplicator <= 0.1.1 - Missing Authorization to Unauthenticated Post/Page Duplication
Published
2025-02-13
Title
Event Tickets and Registration < 5.19.1.2 - Missing Authorization to Ticket Deletion
Published
2025-12-15
Title
Admin and Site Enhancements (ASE) < 8.1.0 - Missing Authorization