WordPress Plugin Vulnerabilities

Real Estate Manager < 7.0 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
real-estate-manager
Fixed in 7.0

References

URL
https://plugins.trac.wordpress.org/browser/real-estate-manager/tags/6.7.1/classes/setup.class.php#L757

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
bfbfa1e1-3163-4532-9807-35117c25f058

Timeline

Publicly Published
2019-06-15 (about 6 years ago)
Added
2019-06-15 (about 6 years ago)
Last Updated
2024-04-08 (about 2 years ago)

Other

Published
Title
Published
2025-06-04
Title
Icegram Collect – Easy Form, Lead Collection and Subscription plugin < 1.3.19 - Missing Authorization
Published
2025-12-12
Title
AnnunciFunebri Impresa < 4.7.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Options Deletion
Published
2025-10-16
Title
Event Tickets < 5.26.4 - Missing Authorization
Published
2026-03-17
Title
Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools < 7.11.3 - Missing Authorization
Published
2025-02-14
Title
Oliver POS – A WooCommerce Point of Sale (POS) < 2.4.2.4 - Sensitive Information Exposure to Privilege Escalation