WordPress Plugin Vulnerabilities

Waiting: One-click countdowns <= 0.6.2 - Missing Authorization

Description

The plugin is vulnerable to authorization bypass due to missing capability checks on its AJAX calls in versions up to, and including, 0.6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create and delete countdowns as well as manipulate other plugin settings.

Affects Plugins

Plugin icon
waiting
No known fix

References

CVE
CVE-2023-3999

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
b725e942-654e-41a7-970e-140eaaca37fa

Timeline

Publicly Published
2022-12-23 (about 3 years ago)
Added
2023-08-31 (about 2 years ago)
Last Updated
2023-08-31 (about 2 years ago)

Other

Published
Title
Published
2025-10-30
Title
Booster for WooCommerce < 7.5.0 - Missing Authorization
Published
2024-01-31
Title
NEX-Forms – Ultimate Form Builder – Contact forms and much more < 8.5.7 - Missing Authorization via restore_records()
Published
2025-08-22
Title
WC Plus <= 1.2.0 - Missing Authorization to Unauthenticated Settings Manipulation
Published
2026-03-02
Title
pixfort Core < 3.2.26 - Missing Authorization
Published
2026-01-06
Title
Quote Comments <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update