WordPress Plugin Vulnerabilities

BadgeOS <= 3.7.1.6 - Subscriber+ IDOR

Description

The plugin does not perform proper validation and authorization on several AJAX requests, allowing an attacker with Subscriber permissions or higher to update arbitrary post titles and delete arbitrary posts.

Affects Plugins

Plugin icon
badgeos
No known fix

References

CVE
CVE-2023-2172
CVE
CVE-2023-2173

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
c0943225-93e6-45f4-a41f-e381ed44ea99

Timeline

Publicly Published
2023-07-05 (about 2 years ago)
Added
2023-08-31 (about 2 years ago)
Last Updated
2023-08-31 (about 2 years ago)

Other

Published
Title
Published
2026-01-01
Title
Holmes <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-09-24
Title
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.13 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation
Published
2025-01-02
Title
WP Job Portal – A Complete Recruitment System for Company or Job Board website < 2.2.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-04-03
Title
WCFM - WooCommerce Frontend Manager < 6.7.26 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation
Published
2022-10-28
Title
Comments - wpDiscuz 7.4.2 - Subscriber+ IDOR