WordPress Plugin Vulnerabilities

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow unauthenticated users, such as subscriber to update them (such as the change the MailChimp API key, 404 page settings etc)

Affects Plugins

Plugin icon
jeg-elementor-kit
Fixed in 2.5.7

References

CVE
CVE-2022-3805

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
No
WPVDB ID
c431bd21-d2dc-4edc-a5e0-a8e0bdd6d069

Timeline

Publicly Published
2022-11-04 (about 3 years ago)
Added
2023-01-02 (about 2 years ago)
Last Updated
2023-01-02 (about 2 years ago)

Other

Published
Title
Published
2025-01-24
Title
Product Size Charts Plugin for WooCommerce < 2.4.6 - Missing Authorization
Published
2024-03-25
Title
Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control
Published
2025-04-01
Title
Agency Toolkit < 1.0.25 - Missing Authorization
Published
2025-12-08
Title
Page View Count <= 2.8.7 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-10-16
Title
MDTF <= 1.3.4 - Missing Authorization