WordPress Plugin Vulnerabilities

Participants Database < 2.5.6 - Missing Authorization

Description

The Participants Database plugin for WordPress is vulnerable to unauthorized manipulation of data due to a missing capability check on several functions hooked via admin-post in all versions up to, and including, 2.5.5. This makes it possible for unauthenticated attackers to add and modify record fields.

Affects Plugins

Plugin icon
participants-database
Fixed in 2.5.6

References

CVE
CVE-2023-48751
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3cd2b2ba-c4ec-4799-91b4-b38c462baee4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Yudistira Arya
Verified
No
WPVDB ID
b6cc2cc4-5629-4d11-a2a5-6181f620d2de

Timeline

Publicly Published
2023-11-27 (about 2 years ago)
Added
2023-11-30 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-04-29
Title
Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe < 29.0.0 - Missing Authorization
Published
2025-04-03
Title
Payday <= 3.3.18 - Missing Authorization
Published
2026-01-27
Title
Aardvark <= 2.19 - Missing Authorization
Published
2025-01-16
Title
OPSI Israel Domestic Shipments <= 2.8.2 - Missing Authorization
Published
2024-10-24
Title
Image Map Pro < 6.0.21 - Missing Authorization to Authenticated (Contributor+) Map Project Add/Update/Delete