Strong Testimonials < 3.1.13 – Authenticated(Contributor+) Improper Authorization to Views Modification | CVE 2023-6491 | Plugin Vulnerabilities

Description

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views.

Affects Plugins

strong-testimonials

Fixed in 3.1.13

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c3277d93-4f47-445b-a193-ff990b55d054

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

dfd10355-c3a0-4b69-8987-95a4c34724f0

Timeline

Publicly Published

2024-06-06 (about 1 year ago)

Added

2024-06-06 (about 1 year ago)

Last Updated

2024-07-29 (about 1 year ago)

Other

Published

Title

Published

2024-03-20

Title

WooCommerce Cloak Affiliate Links < 1.0.34 - Missing Authorization to Unauthenticated Permalink Modification

Published

2023-06-02

Title

Online Booking & Scheduling Calendar for WordPress by vcita < 4.4.3 - Unauthenticated Stored XSS

Published

2022-01-19

Title

WP HTML Mail < 3.1 - Unprotected REST-API Endpoint

Published

2021-10-20

Title

Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection

Published

2021-03-24

Title

All Thrive Themes and Plugins - Unauthenticated Option Update