WordPress Plugin Vulnerabilities

Announcement & Notification Banner – Bulletin < 3.7.0 - Subscriber+ Unauthorized Access and Modification

Description

The plugin does not properly implement capability checks, allowing an attacker with subscriber-level access to modify the plugin's settings, modify bulletins, and create new bulletins.

Affects Plugins

Plugin icon
bulletin-announcements
Fixed in 3.7.0

References

CVE
CVE-2023-2066
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bulletin-announcements/announcement-notification-banner-bulletin-360-missing-authorization-checks

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
7cf3cad8-a0e3-4b54-b741-4faa377ac511

Timeline

Publicly Published
2023-05-11 (about 1 years ago)
Added
2023-06-09 (about 11 months ago)
Last Updated
2023-06-09 (about 11 months ago)

Other

Published
Title
Published
2023-02-03
Title
User Activity <= 1.0.1 - IP Spoofing
Published
2014-08-01
Title
Site5 Wordpress Themes Email Spoofing
Published
2024-01-16
Title
Author Box, Guest Author and Co-Authors for Your Posts – Molongui < 4.7.5 - Information Exposure via ma_debug
Published
2019-10-25
Title
WP Email Template < 2.2.11 - HTML Injection
Published
2014-08-01
Title
NextGEN Gallery 2.0.0 - Directory Traversal