Auto Tag Creator <= 1.0.2 – Missing Authorization via tag_save_settings_callback | CVE 2023-47523 | Plugin Vulnerabilities

Description

The Auto Tag Creator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_save_settings_callback function in versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings.

Affects Plugins

auto-tag-creator

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d4b6d2c6-d157-4c4c-b6e1-557b8353c742

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

dbd71602-2d7c-4a72-b3b9-ef63cbbd3532

Timeline

Publicly Published

2023-11-07 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-12-15

Title

Read More & Accordion < 3.5.6 - Missing Authorization

Published

2022-11-01

Title

WatchTowerHQ < 3.6.16 - Unauthenticated Arbitrary File Access

Published

2024-05-15

Title

Tutor LMS Pro < 2.7.1 - Missing Authorization to SQL Injection

Published

2024-02-20

Title

Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset

Published

2025-05-09

Title

SMS Alert Order Notifications – WooCommerce < 3.8.2 - Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function