WordPress Plugin Vulnerabilities

Wicked Folders < 2.18.17 - Subscriber+ Folder Structure Update

Description

The plugin does not have authorisation check when managing its folder structure (such as moving, deleting, creating etc folders), which could allow any authenticated users, such as subscriber to perform such actions

Affects Plugins

Plugin icon
wicked-folders
Fixed in 2.18.17

References

CVE
CVE-2023-0713
CVE
CVE-2023-0712
CVE
CVE-2023-0718
CVE
CVE-2023-0719
CVE
CVE-2023-0684
CVE
CVE-2023-0711
CVE
CVE-2023-0715
CVE
CVE-2023-0716
CVE
CVE-2023-0717
CVE
CVE-2023-0720

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
ffb8b425-8615-48e4-894b-a7f796522ea4

Timeline

Publicly Published
2023-02-07 (about 3 years ago)
Added
2023-02-07 (about 3 years ago)
Last Updated
2023-02-08 (about 3 years ago)

Other

Published
Title
Published
2025-12-19
Title
Pretty Google Calendar < 2.0.1 - Missing Authorization to Unauthenticated Google API Key Exposure
Published
2024-12-19
Title
Userpro <= 5.1.9 - Missing Authorization
Published
2024-10-09
Title
QA Analytics < 4.1.1.2 - Unauthenticated Settings Update
Published
2022-08-25
Title
About Rentals <= 1.5 - Unauthenticated Actions
Published
2023-04-19
Title
WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update