CVE-2023-27626

An unauthenticated attacker can exploit the missing authorization by sending crafted HTTP requests to the WordPress installation running the vulnerable Stock Ticker plugin. The advisory identifies that the `stockticker_purge_cache` URL parameter could be used by any visitor, without authentication, to purge the plugin's cached stock data [ref_id=1]. This is a classic Missing Authorization flaw [CWE-862] where the plugin fails to verify that the requesting user has the necessary capabilities before performing sensitive operations. The attack requires no special privileges, no user interaction, and can be carried out over the network.

The vulnerability exists in the Stock Ticker plugin for WordPress (versions through 3.23.0). The plugin's authorization checks are missing or insufficient, allowing unauthenticated users to trigger actions that should require administrative privileges. The changelog entry for version 3.23.1 confirms a patch for "Broken Access Control" and specifically notes the removal of the `stockticker_purge_cache` URL parameter which allowed unauthorized users to purge the stock cache.

The fix, applied in version 3.23.1, removes the `stockticker_purge_cache` URL parameter entirely and adds proper authorization checks to the affected endpoints [ref_id=1]. By eliminating the unauthenticated cache purge mechanism and ensuring that only users with appropriate permissions can trigger administrative actions, the patch closes the access control gap. The changelog also notes that from version 3.23.1 onward, purging the stock cache is only possible by updating "All Stock Symbols" or running "Fetch Stock Data Now" on the plugin settings page, both of which require administrative access.