WordPress Plugin Vulnerabilities

B2BKing < 4.6.20 - Subscriber+ Arbitrary Products Price Update

Description

The plugin does not have authorisation in some AJAX actions, allowing any authenticated users, such as subscriber to update the price of any WooCommerce products

Affects Plugins

Plugin icon
b2bking
Fixed in 4.6.20

References

CVE
CVE-2023-3126
CVE
CVE-2023-3125
URL
https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-b2bking-plugin/

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
Yes
WPVDB ID
fccc39ad-e7b2-4fc7-9b9c-494045858790

Timeline

Publicly Published
2023-06-03 (about 2 years ago)
Added
2023-06-05 (about 2 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2026-01-28
Title
Sendy < 3.4.3 - Missing Authorization
Published
2026-02-07
Title
Endless Posts Navigation < 2.3.0 - Missing Authorization
Published
2026-01-20
Title
Tutor LMS – eLearning and online course solution < 3.9.5 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
Published
2023-10-12
Title
WP ERP < 1.12.7 - Missing Authorization via admin notice dismissal
Published
2025-06-05
Title
Job Board Manager < 2.1.61 - Missing Authorization