CVE-2023-1874

Name of the Vulnerable Software and Affected Versions WP Data Access plugin for WordPress versions up to, and including, 5.3.7

Description The issue is related to a lack of authorization checks on the multiple roles update function, allowing authenticated attackers with minimal permissions to modify their user role. This can be achieved by supplying the wpda role[] parameter during a profile update, provided the 'Enable role management' setting is enabled.

Recommendations For WP Data Access plugin for WordPress versions up to, and including, 5.3.7, consider disabling the 'Enable role management' setting to prevent exploitation until a patch is available. Restrict access to the multiple roles update function to minimize the risk of unauthorized role modifications. Avoid using the wpda role[] parameter in profile updates until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.