CVE-2023-2351

Name of the Vulnerable Software and Affected Versions WP Directory Kit plugin for WordPress versions up to, and including, 1.2.3

Description The issue allows unauthorized modification and loss of data due to a missing capability check on the ajax admin function. This enables authenticated attackers with subscriber-level permissions or above to perform various malicious actions, including deleting or changing plugin settings, importing demo data, deleting related posts and terms, and installing arbitrary plugins.

Recommendations For WP Directory Kit plugin for WordPress versions up to, and including, 1.2.3, consider updating to a version that fully addresses the issue, as version 1.2.0 only introduced a partial patch. As a temporary workaround, consider restricting access to the ajax admin function until a complete patch is available.