WordPress Plugin Vulnerabilities

ACF Photo Gallery Field < 2.0 - Subscriber+ UserMeta Update

Description

The plugin does not check user meta to be updated, allowing any authenticated users, such as subscriber, to update any of their user meta to an arbitrary string

Affects Plugins

Plugin icon
navz-photo-gallery
Fixed in 2.0

References

CVE
CVE-2023-3957

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
Yes
WPVDB ID
ba63aa03-9afa-4015-854e-7ca7ef9fe7dc

Timeline

Publicly Published
2023-07-26 (about 2 years ago)
Added
2023-07-27 (about 2 years ago)
Last Updated
2023-07-27 (about 2 years ago)

Other

Published
Title
Published
2026-02-18
Title
Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update
Published
2022-07-25
Title
SearchWP Live Ajax Search < 1.6.2 - Unauthenticated Arbitrary Post Title Disclosure
Published
2020-10-15
Title
Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion
Published
2025-01-31
Title
WP Job Portal < 2.2.7 - Insecure Direct Object Reference to Unauthenticated Company Logo Deletion
Published
2024-08-16
Title
Stripe Payments For WooCommerce by Checkout < 1.9.2 - Unauthenticated Insecure Direct Object Reference