Headline
CVE-2023-2434: Diff [2814681:2919175] for wp-nested-pages – WordPress Plugin Repository
The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ‘reset’ function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings.
wp-nested-pages/trunk/app/Form/Listeners/ResetSettings.php
r2814681
r2919175
12
12
private function reset()
13
13
{
14
if ( !current\_user\_can('manage\_options') ) return;
14
15
$this->settings->resetSettings();
15
16
return wp\_send\_json(\['status' => 'success'\]);
wp-nested-pages/trunk/app/NestedPages.php
r2814681
r2919175
13
13
14
14
global $np\_version;
15
$np\_version = '3.2.3';
15
$np\_version = '3.2.4';
16
16
17
17
if ( is\_admin() ) $app = new NestedPages\\Bootstrap;
wp-nested-pages/trunk/nestedpages.php
r2814681
r2919175
4
4
Plugin URI: http://nestedpages.com
5
5
Description: Provides an intuitive drag and drop interface for managing pages in the Wordpress admin, while enhancing quick edit. Includes an auto-generated menu to match the nested interface, support for all post types and more.
6
Version: 3.2.3
6
Version: 3.2.4
7
7
Author: Kyle Phillips
8
8
Author URI: https://github.com/kylephillips
…
…
13
13
*/
14
14
15
/* Copyright 2022 Kyle Phillips (email : [email protected])
15
/* Copyright 2023 Kyle Phillips (email : [email protected])
16
16
17
17
This program is free software; you can redistribute it and/or modify
wp-nested-pages/trunk/readme.txt
r2814681
r2919175
6
6
Tested up to: 6.1
7
7
Requires PHP: 5.4
8
Stable tag: 3.2.3
8
Stable tag: 3.2.4
9
9
License: GPLv2 or later
10
10
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
105
105
106
106
== Changelog ==
107
108
= 3.2.4 =
109
* Security update
107
110
108
111
= 3.2.3 =