Shortcoder < 6.3.1 – Subscriber+ Unauthorised AJAX Call | CVE 2023-49849

Affects Plugins

Fixed in 6.3.1

References

CVE

CVE-2023-49849

URL

https://patchstack.com/database/vulnerability/shortcoder/wordpress-shortcoder-plugin-6-3-broken-access-control-vulnerability

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

e19a470c-7e8c-4193-8b91-0503f9d3d6d9

Timeline

Publicly Published

2023-12-06 (about 2 years ago)

Added

2023-12-11 (about 2 years ago)

Last Updated

2023-12-13 (about 2 years ago)

Other

Published

Title

Published

2022-01-31

Title

Better Notifications for WP < 1.8.7 - Email Address Disclosure

Published

2023-12-27

Title

WooCommerce Product Vendors < 2.2.2 - Missing Authorization

Published

2021-11-25

Title

Browser and Operating System Finder <= 1.2 - Unauthenticated Arbitrary Settings Update to Stored XSS

Published

2024-08-07

Title

FormCraft < 1.2.11 - Missing Authorization

Published

2024-07-16

Title

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin < 5.7.27 - Missing Authorization