Security vulnerability: Podlove Web Player Plugin vulnerable to Broken Access Control

[gerbsen]

Hey there, today my Wordfence Plugin for Wordpress gave me the following message during it's routine scan which got me a bit scared.

More infos on the CVE can be found here. According to Wordfence the Webplayer:

The Podlove Web Player plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 5.7.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

What should I do? Disable the plugin for now? Will there be a patch available? Can I somehow block the attack any other way? Thank you for any info on the matter!

[alexander-heimbuch]

Hey Gerbsen, thanks for the report. We are already aware of this report and trying to get more information about the potential security issue.

[RealKolago]

Any progress with the security issue?

[alexander-heimbuch]

The original source of this vulnerability is still not disclosed (see https://patchstack.com/database/vulnerability/podlove-web-player/wordpress-podlove-web-player-plugin-5-7-1-broken-access-control-vulnerability). Also the assigned CVE (https://www.cve.org/CVERecord?id=CVE-2023-47691) doesn't provide any information to resolve it :/

[alexander-heimbuch]

I've got the information what needs to be fixed and prepared a fix, will ping back patchstack about this.