Medium severity6.5NVD Advisory· Published Jun 13, 2023· Updated Apr 8, 2026
CVE-2023-2351
CVE-2023-2351
Description
The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_admin' function in versions up to, and including, 1.2.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to delete or change plugin settings, import demo data, delete Directory Kit related posts and terms, and install arbitrary plugins. A partial patch was introduced in version 1.2.0.
Affected products
1- cpe:2.3:a:wpdirectorykit:wp_directory_kit:*:*:*:*:*:wordpress:*:*Range: <1.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/changesetnvdPatchRelease Notes
- plugins.trac.wordpress.org/changesetnvdPatchRelease Notes
- plugins.trac.wordpress.org/changesetnvdPatchRelease Notes
- plugins.trac.wordpress.org/changesetnvdPatchRelease Notes
- www.wordfence.com/threat-intel/vulnerabilities/id/50c5154c-1573-4c2b-85a1-a89bdb22dc7dnvdPatchThird Party Advisory
- plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/public/class-wpdirectorykit-public.phpnvdExploit
News mentions
0No linked articles in our index yet.