WordPress Plugin Vulnerabilities

WP Users Media <= 4.2.3 - Missing Authorization via wpusme_save_settings

Description

The WP Users Media plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpusme_save_settings function in versions up to, and including, 4.2.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify plugin settings.

Affects Plugins

Plugin icon
wp-users-media
No known fix

References

CVE
CVE-2023-27428
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e125188-4aff-4c64-b4ec-a363db2431b7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (Medium)

Miscellaneous

Original Researcher
Zlrqh
Verified
No
WPVDB ID
e8a37352-40f6-4eb0-bdd9-dd245703652f

Timeline

Publicly Published
2023-08-28 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-27 (about 2 years ago)

Other

Published
Title
Published
2026-05-11
Title
Forms Rb <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter
Published
2026-01-14
Title
Alma < 5.16.2 - Missing Authorization
Published
2025-04-04
Title
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution < 4.2.20 - Missing Authorization to Unauthenticated Table Rates Deletion
Published
2025-05-19
Title
GDPR CCPA Compliance Support < 2.7.4 - Missing Authorization
Published
2021-11-10
Title
Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS