CVE-2023-30488

The Featured Post Creative plugin for WordPress, developed by WP OnlineSupport and Essential Plugin, contains a missing authorization vulnerability in versions up to and including 1.2.7. This flaw arises from an incorrectly configured access control security level, meaning that certain functions lack proper authorization checks, authentication requirements, or nonce token validation [1].

An unauthenticated attacker can exploit this vulnerability to execute actions that should be reserved for higher-privileged users, such as administrators. The attack requires no authentication and can be carried out remotely over the network. The vulnerability is classified as a broken access control issue (CWE-862) with a CVSS v3 base score of 5.3, indicating medium severity [1].

The impact of a successful exploitation could allow an attacker to perform unauthorized operations within the WordPress installation, potentially leading to data exposure or further compromise. This vulnerability is considered to be used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

The vendor has released version 1.2.8 to address this issue. Users are strongly advised to update the Featured Post Creative plugin to version 1.2.8 or later. Those unable to update immediately should seek assistance from their hosting provider or web developer. Patchstack users can enable auto-update for vulnerable plugins as a preventive measure [1].