WordPress Plugin Vulnerabilities

Draw Attention < 2.0.12 - Subscriber+ Unauthorized Featured Image Modification

Description

The plugin does not perform a capability check on the ajax_set_featured_image function, allowing authenticated users with subscriber-level permissions to modify featured images of arbitrary posts using images from the media library.

Affects Plugins

Plugin icon
draw-attention
Fixed in 2.0.12

References

CVE
CVE-2023-2764
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/draw-attention/draw-attention-2011-missing-authorization-to-arbitrary-post-featured-image-modification

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
fd80a901-0ae9-43ec-97e0-539fdded9747

Timeline

Publicly Published
2023-05-30 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2023-10-20
Title
Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure
Published
2023-10-31
Title
WooODT Lite < 2.4.7 - Missing Authorization to Arbitrary Options Update
Published
2025-12-15
Title
Image Caption Hover Pro < 20.0 - Missing Authorization
Published
2025-12-02
Title
Tiktok Feed < 1.0.24 - Missing Authorization
Published
2024-03-29
Title
DELUCKS SEO < 2.5.5 - Missing Authorization