WordPress Plugin Vulnerabilities

miniorange otp verification < 4.2.2 - Missing Authorization via dismiss_notice

Description

The miniorange otp verification plugin for WordPress is vulnerable to unauthorized admin notice dismissal due to a missing capability check on the dismiss_notice function in versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices intended for admins.

Affects Plugins

Plugin icon
miniorange-otp-verification
Fixed in 4.2.2

References

CVE
CVE-2023-47776
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/62ea1427-0990-4645-aa1a-42da6fd3944f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
d498c9ff-35be-4259-be9e-be61b3512f92

Timeline

Publicly Published
2023-11-14 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-09-25
Title
PWA for WP & AMP < 1.7.73 - Missing Authorization
Published
2025-11-14
Title
Contest Gallery < 28.0.3 - Missing Authorization
Published
2026-04-07
Title
MainWP Child Reports < 2.3 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API
Published
2024-03-11
Title
Auto Affiliate Links < 6.4.3.1 - Missing Authorization via aalAddLink
Published
2026-01-21
Title
BackItUp <= 2.1.0 - Missing Authorization