VYPR
Medium severity6.3NVD Advisory· Published Jun 9, 2023· Updated Apr 8, 2026

CVE-2023-2067

CVE-2023-2067

Description

The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce validation on the 'bulletinwp_update_bulletin_status', 'bulletinwp_update_bulletin', 'bulletinwp_update_settings', 'bulletinwp_update_status', 'bulletinwp_export_bulletins', and 'bulletinwp_import_bulletins' functions in versions up to, and including, 3.7.0. This makes it possible for unauthenticated attackers to modify the plugin's settings, modify bulletins, create new bulletins, and more, via a forged request granted they can trick a site's user into performing an action such as clicking on a link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • cpe:2.3:a:bulletin:announcement_\&_notification_banner_-_bulletin:*:*:*:*:*:wordpress:*:*+ 1 more
    • cpe:2.3:a:bulletin:announcement_\&_notification_banner_-_bulletin:*:*:*:*:*:wordpress:*:*range: <=3.7.0
    • (no CPE)range: <=3.7.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.