CVE-2023-51362

Vulnerability

Overview

CVE-2023-51362 is a missing authorization vulnerability in the Premio My Sticky Elements plugin for WordPress. The plugin fails to properly enforce access controls on certain functions, allowing unprivileged users to execute actions that should require higher privileges [1]. This broken access control issue affects all versions from n/a through 2.1.3.

Exploitation

Attackers can exploit this vulnerability without needing any authentication or by leveraging low-privileged accounts. The Patchstack advisory notes that this type of vulnerability is commonly used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1]. No special network position is required beyond typical web access.

Impact

Successful exploitation could allow an attacker to perform unauthorized operations, potentially leading to site compromise, data exposure, or further privilege escalation. While the CVSS score is 5.3 (Medium), the actual risk depends on the specific functions exposed [1].

Mitigation

The vulnerability has been patched in version 2.1.4. Users are strongly advised to update immediately or enable auto-updates via Patchstack [1]. If updating is not possible, consulting a hosting provider or web developer is recommended.