WordPress Plugin Vulnerabilities

Give - Donation Plugin < 2.33.1 - Authenticated(Give Manager+) Privilege Escalation

Description

The Give - Donation Plugin plugin for WordPress is vulnerable to privilege escalation due to an insufficient capability check when updating default roles in versions up to, and including, 2.33.0. This makes it possible for authenticated attackers with Give Manager privileges to elevate their privileges to those of an administrator by setting the default role in the plugin's settings.

Affects Plugins

Plugin icon
give
Fixed in 2.33.1

References

CVE
CVE-2023-41665
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/22ff4b09-063b-425e-9d59-be2e5d283186

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
fd6e166c-0c72-43cf-830a-e5d2744e47c2

Timeline

Publicly Published
2023-08-31 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-11-24 (about 2 years ago)

Other

Published
Title
Published
2024-12-11
Title
WooCommerce PDF Vouchers < 4.9.9 - Authentication Bypass
Published
2018-07-06
Title
Ninja Forms < 3.3.9 - Insufficient Restrictions during Export Personal Data requests
Published
2024-04-11
Title
ProfilePress < 4.15.5 - Contributor+ Stored Cross-Site Scripting
Published
2014-08-01
Title
Count Per Day <= 3.1 - download.php f Parameter Traversal Arbitrary File Access
Published
2023-11-03
Title
Defender Security < 4.2.1 - Masked Login Area Security Feature Bypass