WordPress Plugin Vulnerabilities

Export WP Page to Static HTML/CSS < 2.2.0 - Missing Authorization via Multiple AJAX Actions

Description

The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings.

Affects Plugins

Plugin icon
export-wp-page-to-static-html
Fixed in 2.2.0

References

CVE
CVE-2023-6369
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/47cb48aa-b556-4f25-ac68-ff0a812972c1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
d15fd642-2192-41c8-9299-f4d5d12dfc38

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-11-29 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-03-13
Title
Eco Nature - Environment & Ecology WordPress Theme < 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Published
2025-04-09
Title
Woo Product Feed For Marketing Channels <= 1.9.0 - Missing Authorization
Published
2025-12-25
Title
My Sticky Elements < 2.3.4 - Missing Authorization
Published
2025-02-18
Title
Simple Photo Feed < 1.4.1 - Missing Authorization
Published
2024-05-20
Title
AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.5 - Missing Authorization to Unauthenticated Ad Status Update