WordPress Plugin Vulnerabilities

Sirv < 7.1.3 - Missing Authorization via sirv_disconnect

Description

The Sirv plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sirv_disconnect function hooked via AJAX in versions up to, and including, 7.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to disconnect the sites serv account.

Affects Plugins

Plugin icon
sirv
Fixed in 7.1.3

References

CVE
CVE-2023-50898
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4a67ec6-ee13-4532-8213-d17dbf5f2c55

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
db9b0cd0-9f6e-4688-bf11-7fa215d7cd26

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-04-04
Title
WP Genealogy – Your Family History Website <= 0.1.9 - Missing Authorization
Published
2026-01-19
Title
PostX < 5.0.4 - Missing Authorization
Published
2025-05-16
Title
EventON (Pro) <= 4.9.9 - Missing Authorization
Published
2026-02-25
Title
Permalink Manager Lite < 2.5.3 - Missing Authorization
Published
2024-04-15
Title
2Checkout Payment Gateway for WooCommerce <= 6.2 - Missing Authorization via sniff_ins