WordPress Plugin Vulnerabilities

Premium Packages - Sell Digital Products Securely < 5.7.5 - Subscriber+ Privilege Escalation

Description

The plugin does not check users metadata to be updated, allowing any authenticated users, such as subscriber to set their role via the profile[role] parameter when updating their profile

Affects Plugins

Plugin icon
wpdm-premium-packages
Fixed in 5.7.5

References

CVE
CVE-2023-4293

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
f0f70e26-03ca-49bb-8902-9720b512da5d

Timeline

Publicly Published
2023-08-11 (about 2 years ago)
Added
2023-08-16 (about 2 years ago)
Last Updated
2023-08-16 (about 2 years ago)

Other

Published
Title
Published
2021-04-26
Title
Store Locator Plus < 5.9 - Authenticated Privilege Escalation
Published
2026-02-18
Title
Lizza LMS Pro < 1.0.4 - Unauthenticated Privilege Escalation
Published
2019-12-13
Title
WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
Published
2026-02-18
Title
Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation
Published
2023-10-17
Title
Themify Ultra < 7.3.6 - Privilege Escalation