WordPress Plugin Vulnerabilities

ND Shortcodes For Visual Composer < 6.0 - Unauthenticated WP Options Update

Description

Privilege escalation vulnerability that could allow an unauthenticated user to modify the settings of WordPress and to take over the blog and its database.

Please note that the vulnerability requires the blog to use one of the several themes from the author in order to exploit it, otherwise the settings page isn’t loaded

Affects Plugins

Plugin icon
nd-shortcodes
Fixed in 6.0

References

CVE
CVE-2019-15771
URL
https://blog.nintechnet.com/privilege-escalation-vulnerability-in-wordpress-nd-shortcodes-for-visual-composer-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
6.1 (medium)

Miscellaneous

Verified
No
WPVDB ID
eb12e6ee-f2ee-451d-9244-d63ebd3e1ddd

Timeline

Publicly Published
2019-07-31 (about 6 years ago)
Added
2019-07-31 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-07-08
Title
Sala <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
Published
2025-04-23
Title
Buddypress Force Password Change <= 0.1 - Subscriber+ Account Takeover via Password Update
Published
2025-11-26
Title
Tiger <= 101.2.1 - Unauthenticated Privilege Escalation
Published
2024-08-14
Title
Zephyr Project Manager < 3.3.102 - Authenticated (Subscriber+) Limited Privilege Escalation
Published
2021-01-12
Title
Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation