PT-2023-8991 · Unknown · Profilepress
Abdi Pranata
·
Published
2023-01-17
·
Updated
2025-06-09
·
CVE-2023-41953
CVSS v2.0
7.2
High
| Vector | AV:L/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
ProfilePress versions through 4.13.1
Description
The issue is related to a Missing Authorization vulnerability in the ProfilePress Membership Team plugin for WordPress. This vulnerability is associated with a function named
admin notice() and is connected to a Cross-Site Request Forgery (CSRF) attack due to incorrect validation of the nonce value. An attacker could exploit this vulnerability to perform a CSRF attack.Recommendations
For versions through 4.13.1, update to a version that includes a fix for this issue.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
CSRF
Untrusted Search Path
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Profilepress