WordPress Plugin Vulnerabilities

ProductX – Gutenberg WooCommerce Blocks < 3.0.0 - Missing Authorization via option_data_save

Description

The ProductX – Gutenberg WooCommerce Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the option_data_save function in versions up to, and including, 2.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify plugin settings.

Affects Plugins

Plugin icon
product-blocks
Fixed in 3.0.0

References

CVE
CVE-2023-45271
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f1aa6c8b-8231-49f1-a30a-fc1a03813221

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
dee15348-f57e-47e9-8664-2699dd9f4470

Timeline

Publicly Published
2023-10-06 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2026-02-18
Title
RegistrationMagic < 6.0.7.7 - Missing Authorization
Published
2025-03-14
Title
Give < 3.22.1 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function
Published
2024-12-03
Title
Accessibility by AllAccessible < 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update
Published
2024-04-30
Title
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid < 7.7.0 - Missing Authorization
Published
2026-01-16
Title
Peach Payments Gateway < 3.3.7 - Missing Authorization