WordPress Plugin Vulnerabilities

Short URL <= 1.6.8 - Missing Authorization via multiple AJAX functions

Description

The Short URL plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 1.6.8. This makes it possible for authenticated attackers such as subscribers to add, modify, or delete translations and plugin options.

Affects Plugins

Plugin icon
shorten-url
No known fix

References

CVE
CVE-2023-47225
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a83061c0-d8d3-4dbe-bf2a-65350d17094b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
ad8b5987-a51d-491b-8418-1304f01642ac

Timeline

Publicly Published
2023-11-03 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-03-06
Title
MDJM Event Management < 1.7.8.2 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion
Published
2026-02-25
Title
DEPART < 1.0.8 - Missing Authorization
Published
2022-05-13
Title
Files Download Delay < 1.0.7 - Subscriber+ Settings Reset
Published
2025-03-27
Title
Chatbox Manager < 1.2.3 - Missing Authorization
Published
2023-09-01
Title
Ovic Product Bundle <= 1.1.2 - Missing Authorization