WordPress Plugin Vulnerabilities

WP Private Message < 1.0.6 - Private Message Disclosure via IDOR

Description

The plugin (bundled with the Superio theme as a required plugin) does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID.

Proof of Concept

Affects Plugins

Plugin icon
wp-private-message
Fixed in 1.0.6

References

CVE
CVE-2023-0453
URL
https://themeforest.net/item/superio-job-board-wordpress-theme/32180231
YouTube Video

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Veshraj Ghimire
Submitter
Veshraj Ghimire
Submitter website
https://veshrajghimire.com.np
Submitter twitter
GhimireVeshraj
Verified
Yes
WPVDB ID
f915e5ac-e216-4d1c-aec1-c3be11e2a6de

Timeline

Publicly Published
2023-01-30 (about 2 years ago)
Added
2023-01-30 (about 2 years ago)
Last Updated
2023-01-30 (about 2 years ago)

Other

Published
Title
Published
2023-06-29
Title
SP Project & Document Manager < 4.68 - Subscriber+ Insecure Direct Object References
Published
2024-12-23
Title
Content No Cache: prevent specific content from being cached < 0.1.3 - Unauthenticated Private Content Disclosure
Published
2025-11-11
Title
Wishlist and Save for later for Woocommerce < 1.1.23 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion
Published
2025-05-01
Title
Homey - Booking and Rentals WordPress Theme < 2.4.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion
Published
2022-10-21
Title
Quiz And Survey Master < 7.3.7 - Multiple Author+ IDOR