Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function

Summary

CVE	CVE-2023-0958
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-07-28 05:15:09 UTC
Updated	2026-04-08 19:18:04 UTC
Description	Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to install select plugins from Inisev on vulnerable sites. CVE-2023-38514 appears to be a duplicate of this vulnerability.

Risk And Classification

Primary CVSS: v3.1 6.5 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS: 0.002240000 probability, percentile 0.451380000 (date 2026-04-09)

Problem Types: CWE-862 | CWE-862 CWE-862 Missing Authorization

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	6.5	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N`
3.1	[email protected]	Secondary	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N`
3.1	CNA	DECLARED	4.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Backupbliss	Backup Migration	All	All	All	All
Application	Backupbliss	Clone	All	All	All	All
Application	Copy-delete-posts	Duplicate Post	All	All	All	All
Application	Inisev	Enhanced Text Widget	All	All	All	All
Application	Inisev	Redirection	All	All	All	All
Application	Inisev	Rss Redirect Feedburner Alternative	All	All	All	All
Application	Inisev	Ssl Mixed Content Fix	All	All	All	All
Application	Inisev	Ultimate Posts Widget	All	All	All	All
Application	Mypopups	Pop-up	All	All	All	All
Application	Socialshare	Social Share Icons Social Share Buttons	All	All	All	All
Application	Ultimatelysocial	Social Media Share Buttons Social Sharing Icons	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Inisev	Redirection	affected 1.1.3 semver	Not specified
CNA	Inisev	Pop-up	affected 1.1.9 semver	Not specified
CNA	Inisev	BackupBliss Backup Migration With Free Cloud Storage	affected 1.2.7 semver	Not specified
CNA	Inisev	Duplicate Post	affected 1.3.9 semver	Not specified
CNA	Cl272	Enhanced Text Widget	affected 1.5.7 semver	Not specified
CNA	Cl272	Ultimate Posts Widget	affected 2.2.4 semver	Not specified
CNA	Migrate	Clone	affected 2.3.7 semver	Not specified
CNA	Inisev	Social Media Share Buttons Social Sharing Icons	affected 2.8.1 semver	Not specified
CNA	Steve85b	SSL Mixed Content Fix	affected 3.2.3 semver	Not specified
CNA	Inisev	Social Share Icons Social Share Buttons	affected 3.5.7 semver	Not specified
CNA	S-feeds	RSS Redirect Feedburner Alternative	affected 3.7 semver	Not specified

References

Reference	Source	Link	Tags
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	af854a3a-2127-422b-91ae-364da2661108	www.wordfence.com	Third Party Advisory
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Patch
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
403 Forbidden	af854a3a-2127-422b-91ae-364da2661108	plugins.trac.wordpress.org	Product
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Chloe Chamberland (en)

Additional Advisory Data

Source	Time	Event
CNA	2023-02-22T00:00:00.000Z	Discovered
CNA	2023-02-22T00:00:00.000Z	Vendor Notified
CNA	2023-07-27T00:00:00.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.