Insecure Direct Object Reference in BadgeOS Plugin for WordPress
CVE-2023-2172
4.3MEDIUM
What is CVE-2023-2172?
The BadgeOS plugin for WordPress is susceptible to Insecure Direct Object Reference due to insufficient validation and authorization checks in several functions. This allows authenticated users with subscriber-level access or higher to manipulate post titles illegitimately. The vulnerability exists in version 3.7.1.6 and earlier, where functions such as badgeos_update_steps_ajax_handler and others fail to adequately restrict access, exposing the system to potential misuse.
Affected Version(s)
BadgeOS * <= 3.7.1.6