WordPress Plugin Vulnerabilities

Post Meta Data Manager < 1.2.1 - Subscriber+ Privilege Escalation

Description

The plugin does not properly implement capability checks on certain functions, which results in potential unauthorized modification of data. As a result, authenticated users with subscriber-level permissions can potentially gain elevated privileges.

Affects Plugins

Plugin icon
post-meta-data-manager
Fixed in 1.2.1

References

CVE
CVE-2023-5425
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7f4e710-99a2-49df-a513-725e1daaa18a

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
8e8dc04c-7809-42d6-b2a7-e3d1b8ba7f18

Timeline

Publicly Published
2023-10-27 (about 6 months ago)
Added
2023-11-03 (about 6 months ago)
Last Updated
2023-11-03 (about 6 months ago)

Other

Published
Title
Published
2024-04-29
Title
Debug Log Manager < 2.3.2 - Missing Authorization via toggle_debugging
Published
2024-04-05
Title
All-in-One Video Gallery < 3.6.0 - Missing Authorization
Published
2024-02-09
Title
Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Missing Authorization via wpas_get_users()
Published
2020-11-27
Title
NEX-Forms < 7.8 - Subscriber+ Unauthorised AJAX Calls
Published
2024-04-22
Title
Evergreen Content Poster < 1.4.3 - Missing Authorization