WordPress Plugin Vulnerabilities

Slider Pro < 4.8.7 - Missing Authorization via AJAX actions

Description

The Slider Pro plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on several AJAX actions in versions up to, and including, 4.8.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to hide warnings.

Affects Plugins

Plugin icon
sliderpro
Fixed in 4.8.7

References

CVE
CVE-2023-41865
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f813cb1a-5922-48a5-a026-66ec9aaac294

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (Medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
cf262080-ddf6-4309-bb6f-6900f9cc8649

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2025-04-04
Title
Email Notifications for Updates < 1.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-12-10
Title
Carter for Elementor <= 1.0.2 - Missing Authorization
Published
2025-09-22
Title
Lazy Blocks < 4.1.1 - Missing Authorization
Published
2026-04-23
Title
HubSpot All-In-One Marketing - Forms, Popups, Live Chat < 11.3.33 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure
Published
2022-07-12
Title
Discy < 5.0 - Subscriber+ Broken Access Control to change settings