WordPress Plugin Vulnerabilities

Preloader for Website < 1.3 - Missing Authorization via plwao_register_settings()

Description

The Preloader for Website plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the plwao_register_settings() function in versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to reset the plugin's settings.

Affects Plugins

Plugin icon
preloader-for-website
Fixed in 1.3

References

CVE
CVE-2023-48273
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5cfc38c0-f940-4c4d-ba7b-0d772146ea2d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
e69e8aec-6d1f-47f2-9307-1caa0529bdfc

Timeline

Publicly Published
2023-11-21 (about 2 years ago)
Added
2023-11-28 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-07-21
Title
Post SMTP < 3.3.0 - Subscriber+ Account Takeover via Email Log Exposure
Published
2025-09-03
Title
Support Genix < 1.4.24 - Missing Authorization
Published
2026-03-03
Title
Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder < 1.6.1 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema()
Published
2026-03-23
Title
Product Filter for WooCommerce by WBW < 3.1.3 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE
Published
2025-06-19
Title
Media Hygiene < 4.0.3 - Missing Authorization