WordPress Plugin Vulnerabilities

My Shortcodes <= 2.3 - Missing Authorization via Multiple AJAX Actions

Description

The My Shortcodes plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX actions in versions up to, and including, 2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions.

Affects Plugins

Plugin icon
my-shortcodes
No known fix

References

CVE
CVE-2023-46632
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7a931496-f130-4910-9116-6c2c4df760f5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
f63ebf7a-dfd1-42dd-85ce-77229a6a2c79

Timeline

Publicly Published
2023-10-25 (about 6 months ago)
Added
2023-11-23 (about 5 months ago)
Last Updated
2024-01-22 (about 3 months ago)

Other

Published
Title
Published
2023-05-23
Title
Go Pricing - WordPress Responsive Pricing Tables < 3.4 - Broken Access Control
Published
2023-09-22
Title
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure
Published
2024-03-26
Title
Colibri Page Builder < 1.0.249 - Missing Authorization
Published
2023-11-07
Title
Dragfy Addons for Elementor <= 1.0.2 - Missing Authorization via save_settings
Published
2023-09-22
Title
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure