WordPress Plugin Vulnerabilities

Mediabay <= 1.6 - Missing Authorization via AJAC actions

Description

The Mediabay plugin for WordPress is vulnerable to unauthorized use of functionality due to missing capability checks on several AJAX actions in versions up to, and including, 1.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to make changes to sidebars created with this plugin.

Affects Plugins

Plugin icon
mediabay-lite
No known fix

References

CVE
CVE-2023-46612
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3a923f58-f6c7-47ee-87f6-27453b39d1cf

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
emad
Verified
No
WPVDB ID
dbed9fcc-2025-44e0-896e-dac6c3e174e5

Timeline

Publicly Published
2023-10-24 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-02-13
Title
Smart Forms < 2.6.101 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure
Published
2025-10-06
Title
Progress Planner < 1.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-06-05
Title
Custom Category/Post Type Post order < 2.0 - Missing Authorization
Published
2024-04-04
Title
Happy Addons for Elementor < 3.10.5 - Incorrect Authorization to Information Exposure
Published
2025-02-24
Title
Private Content <= 8.11.5 - Missing Authorization