Primary

Context

BWL Advanced FAQ Manager Missing Authorization Vulnerability Allowing Arbitrary Options Update

Vulnerability

A vulnerability exists in the BWL Advanced FAQ Manager plugin for WordPress, in all versions through 2.1.4. The issue arises from a lack of proper capability checks on the 'baf_set_notice_status' AJAX action, allowing authenticated attackers with Subscriber-level access and above to unauthorizedly modify option values. This could lead to a denial-of-service condition by causing errors on the site or by manipulating options related to user registration.

Impact

Exploitation of this vulnerability could result in unauthorized data modification, potentially causing errors that disrupt normal site operations and access for legitimate users.

Remediation

Users are advised to update the BWL Advanced FAQ Manager plugin to version 2.1.5 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BWL Advanced FAQ Manager Missing Authorization Vulnerability Allowing Arbitrary Options Update

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating