WordPress Plugin Vulnerabilities

Ashe Extra < 1.2.92 - Subscriber+ Companion Plugin Activation & Content Import

Description

The plugin does not have authorisation in various AJAX actions, allowing any authenticated user, such as subscribers to call them, and activate companion plugins as well as import content

Affects Plugins

Plugin icon
ashe-extra
Fixed in 1.2.92

References

CVE
CVE-2023-46079
URL
https://patchstack.com/database/vulnerability/ashe-extra/wordpress-ashe-extra-plugin-1-2-6-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
f95686f7-b9f8-46e1-9890-3c37055bee66

Timeline

Publicly Published
2023-10-16 (about 6 months ago)
Added
2023-11-23 (about 5 months ago)
Last Updated
2024-03-13 (about 1 months ago)

Other

Published
Title
Published
2023-10-03
Title
Optimize Database after Deleting Revisions < 5.1 - Missing Authorization via 'odb_csv_download'
Published
2023-12-06
Title
Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy <= 2.1.2 - Missing Authorization
Published
2024-04-30
Title
iPanorama 360 WordPress Virtual Tour Builder < 1.8.2 - Missing Authorization
Published
2024-04-22
Title
ARForms < 6.4.1 - Missing Authorization to Arbitrary Option Deletion
Published
2024-02-12
Title
WP Media folder < 5.7.3 - Missing Authorization to Authenticated(Subscriber+) Plugin settings change