WordPress Plugin Vulnerabilities

WCMultiShipping < 2.3.6 - Missing Authorization to Log Export

Description

The WCMultiShipping plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wms_export_log function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and view the plugins log file.

Affects Plugins

Plugin icon
wc-multishipping
Fixed in 2.3.6

References

CVE
CVE-2023-48274
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4b19657c-3e95-42cf-8d1a-64fa50b3b82b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
bbdc3333-a3b1-4d29-9db8-b589d8ea5738

Timeline

Publicly Published
2023-11-21 (about 2 years ago)
Added
2023-11-28 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-11-05
Title
Tumult Hype Animations < 1.9.15 - Missing Authorization
Published
2024-03-29
Title
SP Project & Document Manager <= 4.70 - Missing Authorization Stored Cross-Site Scripting
Published
2025-10-14
Title
Oceanpayment CreditCard Gateway <= 6.0 - Unauthenticated Order Status Update
Published
2025-12-05
Title
Formstack Online Forms <= 2.0.2 - Missing Authorization
Published
2025-04-22
Title
Download Alt Text AI < 1.9.94 - Missing Authorization