AWeber < 7.3.10 – Missing Authorization via AJAX actions | CVE 2023-47757 | Plugin Vulnerabilities

Description

The AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked by AJAX actions in all versions up to, and including, 7.3.9. This makes it possible for subscribers and higher to create and publish pages and modify landing pages.

Affects Plugins

aweber-web-form-widget

Fixed in 7.3.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/397f20d8-2400-4403-8543-f57141378012

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

c922069f-aa14-4287-8de5-686ff1489d77

Timeline

Publicly Published

2023-11-13 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-12-30

Title

Payment Gateway Authorize.Net CIM for WooCommerce <= 2.1.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

Published

2025-12-23

Title

Chakra test < 1.0.2 - Missing Authorization

Published

2025-12-31

Title

DMCA Protection Badge <= 2.2.0 - Missing Authorization

Published

2024-08-28

Title

Fota WP < 1.4.2 - Missing Authorization via fotawp_install_and_activate_plugins()

Published

2025-09-26

Title

WEDOS Global <= 1.2.2 - Missing Authorization