Cyber Resilience

CVE-2023-46309

Medium

Published: 02 January 2025

Published
02 January 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0010 27.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46309 is a medium-severity Missing Authorization (CWE-862) vulnerability in Gvectors Wpdiscuz. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-46309 is a missing authorization vulnerability (CWE-862) in the wpDiscuz WordPress plugin developed by AdvancedCoding. The flaw allows exploitation of incorrectly configured access control security levels and affects all versions of wpDiscuz from n/a through 7.6.10. Published on January 2, 2025, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables limited integrity impacts, such as unauthorized modifications, by bypassing intended access controls in the plugin.

Patchstack provides details on this broken access control issue in wpDiscuz version 7.6.10 via its vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wpdiscuz/vulnerability/wordpress-wpdiscuz-plugin-7-6-10-broken-access-control-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of a web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-45760Same product: Gvectors Wpdiscuz
CVE-2026-22202Same product: Gvectors Wpdiscuz
CVE-2026-22192Same product: Gvectors Wpdiscuz
CVE-2026-22193Same product: Gvectors Wpdiscuz
CVE-2026-22182Same product: Gvectors Wpdiscuz
CVE-2026-22199Same product: Gvectors Wpdiscuz
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862

Affected Assets

gvectors
wpdiscuz
≤ 7.6.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly patches the missing authorization vulnerability in wpDiscuz, preventing unauthenticated exploitation of broken access controls.

prevent

Access enforcement requires the plugin to implement and enforce approved authorizations, comprehensively addressing the missing authorization checks allowing unauthorized modifications.

prevent

Secure configuration settings for the wpDiscuz plugin mitigate exploitation of incorrectly configured access control security levels.

References