WordPress Plugin Vulnerabilities

User Role by BestWebSoft < 1.6.7 - Privilege Escalation via CSRF

Description

The plugin does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.

Proof of Concept

Affects Plugins

Plugin icon
user-role
Fixed in 1.6.7

References

CVE
CVE-2023-0820

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.5 (high)

Miscellaneous

Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
b93d9f9d-0fd9-49b8-b465-d32b95351912

Timeline

Publicly Published
2023-03-13 (about 2 years ago)
Added
2023-03-13 (about 2 years ago)
Last Updated
2023-03-13 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
CouponXxL <= 4.5.0 - Cross-Site Request Forgery
Published
2023-02-23
Title
Organization chart < 1.4.5 - Multiple CSRF
Published
2025-03-27
Title
3DPrint Lite < 2.1.3.6 - Cross-Site Request Forgery
Published
2023-04-07
Title
Simple Job Board < 2.10.4 - Settings Update via CSRF
Published
2025-06-05
Title
WP Time Slots Booking Form < 1.2.31 - Cross-Site Request Forgery