WordPress Plugin Vulnerabilities
YIT Plugin Framework < 3.3.13 - Subscriber+ Settings Update
Description
The YIT Plugin Framework before v3.3.13 used by the plugins does not have authorisation and CSRF checks when updating settings, allowing any authenticated users, such as subscriber to update arbitrary settings in the affected plugins
Affects Plugins
Fixed in 2.2.14
Fixed in 2.3.15
Fixed in 1.3.15
Fixed in 1.3.12
Fixed in 1.7.1
Fixed in 1.3.21
Fixed in 1.3.7
Fixed in 1.4.9
Fixed in 1.3.6
Fixed in 1.2.11
Fixed in 1.2.13
Fixed in 1.2.1
Fixed in 1.4.0
Fixed in 1.5.23
Fixed in 1.3.8
Fixed in 1.3.6
Fixed in 1.6.3
Fixed in 1.4.5
Fixed in 1.1.17
Fixed in 1.2.11
Fixed in 1.7.5
Fixed in 1.8.13
Fixed in 1.1.8
Fixed in 1.1.13
Fixed in 1.3.13
Fixed in 1.2.15
Fixed in 2.0.2
Fixed in 1.3.11
Fixed in 1.3.6
Fixed in 1.0.12
Fixed in 1.1.13
Fixed in 1.1.13
Fixed in 2.1.4
Fixed in 3.4.1
Fixed in 1.2.0
Fixed in 1.3.4
Fixed in 1.2.6
Fixed in 1.2.8 References
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Jerome Bruandet
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2019-10-31 (about 6 years ago)
Added
2019-10-31 (about 6 years ago)
Last Updated
2023-01-02 (about 3 years ago)
WPScan 