CVE-2023-6966

Name of the Vulnerable Software and Affected Versions The Moneytizer plugin for WordPress versions up to, and including, 9.5.20

Description The issue is caused by a missing capability check on multiple AJAX functions in the /core/core ajax.php file. This allows authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages, as well as perform other lower-severity actions.

Recommendations For versions up to, and including, 9.5.20, update to a version higher than 9.5.20 to resolve the issue. As a temporary workaround, consider restricting access to the /core/core ajax.php file and its associated AJAX functions until a patch is available. Restrict subscriber access and above to minimize the risk of exploitation.