CVE-2023-2066

Name of the Vulnerable Software and Affected Versions The Announcement & Notification Banner – Bulletin plugin for WordPress versions up to, and including, 3.6.0

Description The issue allows unauthorized access and modification of data due to a missing capability check on the bulletinwp update bulletin status, bulletinwp update bulletin, bulletinwp update settings, bulletinwp update status, bulletinwp export bulletins, and bulletinwp import bulletins functions. This enables authenticated attackers with subscriber-level access, and above, to modify the plugin's settings, modify bulletins, create new bulletins, and more.

Recommendations For versions up to, and including, 3.6.0, update to a version higher than 3.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable functions until a patch is available.