WordPress Plugin Vulnerabilities

Social Pug < 1.30.1 - Missing Authorization via multiple admin_init actions

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on multiple functions that run on admin_init, allowing unauthenticated attackers to update the database.

Affects Plugins

Plugin icon
social-pug
Fixed in 1.30.1

References

CVE
CVE-2023-49193
URL
https://patchstack.com/database/vulnerability/social-pug/wordpress-grow-social-plugin-1-20-3-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
e0507065-c249-4f92-b71b-8a8c0635d518

Timeline

Publicly Published
2023-12-01 (about 2 years ago)
Added
2023-12-07 (about 2 years ago)
Last Updated
2023-12-14 (about 2 years ago)

Other

Published
Title
Published
2025-05-07
Title
Eventin < 4.0.27 - Missing Authorization to Unauthenticated Privilege Escalation
Published
2024-05-21
Title
ApplyOnline – Application Form Builder and Manager < 2.6.3 - Missing Authorization to Sensitive Information Exposure
Published
2025-04-22
Title
Download Alt Text AI < 1.9.94 - Missing Authorization
Published
2023-02-24
Title
WP Meta SEO < 4.5.4 - Subscriber+ Google Analytics Settings Update
Published
2026-01-06
Title
Fluent Forms < 6.1.8 - Subscriber+ Arbitrary Form Creation via AI Builder