WordPress Plugin Vulnerabilities

10WebAnalytics <= 1.2.12 - Missing Authorization via gawd_wd_bp_install_notice_status

Description

The 10WebAnalytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gawd_wd_bp_install_notice_status function in versions up to, and including, 1.2.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss admin notifications.

Affects Plugins

Plugin icon
wd-google-analytics
No known fix

References

CVE
CVE-2023-47807
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5dd2a4cb-dd74-4b00-82f5-3bf1452e71a3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
f21be729-9489-498d-bc64-ddb9a203bd25

Timeline

Publicly Published
2023-11-16 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-12-05
Title
Prodigy Commerce < 3.1.3 - Missing Authorization
Published
2024-05-09
Title
White Label CMS < 2.7.4 - Missing Authorization to Plugin Settings Reset
Published
2023-10-27
Title
Post Meta Data Manager < 1.2.1 - Subscriber+ Privilege Escalation
Published
2026-01-24
Title
WP Go Maps (formerly WP Google Maps) < 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification
Published
2024-10-25
Title
GRÜN spendino Spendenformular <= 1.0.1 - Unauthenticated Arbitrary Options Update