WordPress Plugin Vulnerabilities

WP Directory Kit < 1.2.4 - Missing Authorization for Plugin Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them.

Affects Plugins

Plugin icon
wpdirectorykit
Fixed in 1.2.4

References

CVE
CVE-2023-2351

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
e64aa067-0ba2-464a-84df-f37e98c85119

Timeline

Publicly Published
2023-06-12 (about 2 years ago)
Added
2023-06-13 (about 2 years ago)
Last Updated
2023-06-13 (about 2 years ago)

Other

Published
Title
Published
2024-12-11
Title
Mark New Posts < 7.6 - Missing Authorization via save_options
Published
2024-04-22
Title
Academy LMS < 1.9.17 - Missing Authorization
Published
2024-02-12
Title
Directorist < 7.8.5 - Missing Authorization to Unauthenticated Settings Change
Published
2025-05-16
Title
EventON - WordPress Virtual Event Calendar Plugin < 4.9.7 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2024-09-23
Title
Appointment & Event Booking Calendar Plugin – Webba Booking < 5.0.50 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update