Cyber Resilience

CVE-2023-47179

High

Published: 02 January 2025

Published
02 January 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2399 96.2th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47179 is a high-severity Missing Authorization (CWE-862) vulnerability in Byconsole Wooodt Lite. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

The vulnerability is a missing authorization flaw, tracked as CWE-862, in the WooODT Lite WordPress plugin (byconsole-woo-order-delivery-time) maintained by mdalabar. It affects all versions through 2.4.6 and stems from incorrectly configured access control security levels that fail to properly restrict privileged operations.

An authenticated attacker with low-privileged access can exploit the issue over the network to perform arbitrary site option updates. Successful exploitation grants the ability to modify configuration settings, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.

The Patchstack advisory identifies the flaw specifically as an arbitrary site option update vulnerability and provides a database entry for the affected plugin versions. No separate patch or mitigation details are supplied in the reference. The associated EPSS score has remained flat at 0.2399 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through <= 2.4.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Missing authorization (CWE-862) for arbitrary WordPress option updates by low-privileged users directly enables privilege escalation (T1068) and account manipulation via config changes such as admin email takeover (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25045Shared CWE-862
CVE-2024-13677Shared CWE-862
CVE-2026-4261Shared CWE-862
CVE-2026-35182Shared CWE-862
CVE-2026-7802Shared CWE-862
CVE-2025-8310Shared CWE-862
CVE-2025-8322Shared CWE-862
CVE-2025-26378Shared CWE-862
CVE-2024-12876Shared CWE-862
CVE-2026-2941Shared CWE-862

Affected Assets

byconsole
wooodt lite
≤ 2.4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to system resources, preventing low-privileged users from exploiting missing authorization to perform arbitrary site option updates.

prevent

Restricts access to configuration changes, such as site options, to authorized personnel only, mitigating unauthorized updates by low-privileged users.

prevent

Enforces least privilege to ensure low-privileged users cannot perform high-impact actions like arbitrary site option modifications even if exploited.

References