Category Slider for WooCommerce < 1.4.16 – Missing Authorization via notice dismissal functionality | CVE 2023-41132 | Plugin Vulnerabilities

Description

The Category Slider for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability and nonce check on various admin notice dismissal functions in versions up to, and including, 1.4.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss administrative notices.

Affects Plugins

woo-category-slider-grid

Fixed in 1.4.16

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ab1bd64b-8575-4ab4-bca5-8d5ce6f476d1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

e783323a-ec28-414f-b779-44e8243d461d

Timeline

Publicly Published

2023-08-24 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-11-23 (about 2 years ago)

Other

Published

Title

Published

2024-02-27

Title

Page Duplicator <= 0.1.1 - Missing Authorization to Unauthenticated Post/Page Duplication

Published

2025-11-24

Title

Chamber Dashboard Business Directory <= 3.3.11 - Missing Authorization to Unauthenticated Business Information Export

Published

2024-12-02

Title

WP Mailster < 1.8.17.0 - Missing Authorization

Published

2024-03-11

Title

LadiApp <= 4.4 - Missing Authorization via ladiflow_save_hook()

Published

2025-01-06

Title

ClickDesigns < 2.0.0 - Missing Authorization to API Key Modification or Removal