CVE-2023-46632
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Missing Authorization in My Shortcodes WordPress plugin allows attackers to exploit incorrectly configured access control, affecting versions up to 2.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing Authorization in My Shortcodes WordPress plugin allows attackers to exploit incorrectly configured access control, affecting versions up to 2.3.
Vulnerability
The My Shortcodes WordPress plugin (versions up to and including 2.3) contains a Missing Authorization vulnerability [1]. The plugin fails to properly verify access rights for certain functionality, allowing exploitation of incorrectly configured access control security levels. The exact affected endpoint or function is not disclosed, but the issue exists in the code path where authorization checks are missing or insufficient. The plugin has been removed from the official WordPress.org plugin directory due to a security issue [1].
Exploitation
An attacker can exploit this vulnerability without requiring authentication or any special privileges if the vulnerable code path is exposed. The missing authorization check means that any unauthenticated user can trigger the vulnerable functionality. The specific sequence of steps is not publicly documented, but the attacker likely accesses a particular REST endpoint, AJAX action, or shortcode handler that performs actions without first verifying the user's capabilities [1].
Impact
Successful exploitation allows an attacker to perform actions that should be restricted to authorized users. The exact impact depends on the missing authorization context, but typical outcomes include unauthorized modification of content, privilege escalation, disclosure of sensitive information, or execution of administrative functions. Given the severity (CVSS v3 7.1) [1], the impact is significant, potentially leading to complete site compromise if the missing authorization affects critical settings or data.
Mitigation
As of January 2025, no patched version exists. The plugin was closed and removed from the WordPress.org plugin directory on March 7, 2024 due to a security issue [1]. The plugin has no official fix available and is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Users who have the plugin installed should uninstall and remove it immediately [1]. There is no workaround other than complete removal, as the plugin is no longer maintained or distributed.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.3
Patches
0my-shortcodesThis plugin has been removed from the WordPress.org directory on 2024-03-07 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.