By skyforbes 
Zero day techniques to find vulnerabilities in the codebase
⚠️This article is only for educational and ethical vulnerability research purposes. Author not responsible for any actions!
1️⃣ CVE-2023-41686
1.2.2 vs 1.2.3
I am utilizing Meld tool for the patch diffing and colored visualization
Function wss_save_settings
Old version was not having neither authorization check nor the nonce check, although you should not use nonce check as a replacement for role check because sometimes there is potential of nonce getting leaked to non-admin areas.
Developer patched it by implementing both
- Authorization using WordPress function
current_user_can - Nonce verification check using WordPress function
wp_verify_nonce
add_action( 'admin_init', array( $this, 'wss_save_settings' ) );
public function…
Learn more about Code Review : admin_init & init Hook