CVE-2023-45104 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2023-45104?

CVE-2023-45104 has a CVSS score of 7.3 (HIGH). This CVE describes a missing authorization vulnerability in the WordPress BetterLinks plugin that allows attackers to bypass access controls and perform unauthorized actions. The vulnerability affects all versions up to 1.6.0, potentially impacting any WordPress site using the vulnerable plugin.

📋 TL;DR

This CVE describes a missing authorization vulnerability in the WordPress BetterLinks plugin that allows attackers to bypass access controls and perform unauthorized actions. The vulnerability affects all versions up to 1.6.0, potentially impacting any WordPress site using the vulnerable plugin.

💻 Affected Systems

Products:

WordPress BetterLinks Plugin

Versions: All versions up to and including 1.6.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using BetterLinks plugin version 1.6.0 or earlier. No special configuration required.

📦 What is this software?

Betterlinks by Wpdeveloper

View all CVEs affecting Betterlinks →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify link configurations, redirect legitimate traffic to malicious sites, or potentially gain administrative access to the WordPress site.

🟠

Likely Case

Unauthorized users could modify BetterLinks settings, create malicious redirects, or access sensitive link analytics data they shouldn't have permission to view.

🟢

If Mitigated

With proper access controls and authentication checks, only authorized administrators could access BetterLinks functionality.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this vulnerability could be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges or modify link configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of WordPress plugin structure and access control mechanisms, but no authentication is needed once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.6.1 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/betterlinks/vulnerability/wordpress-betterlinks-plugin-1-6-0-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find BetterLinks plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.6.1+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable BetterLinks Plugin

WordPress

Temporarily deactivate the plugin until patched version can be installed

wp plugin deactivate betterlinks

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block unauthorized access to BetterLinks endpoints
Restrict access to WordPress admin interface using IP whitelisting or additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for BetterLinks version. If version is 1.6.0 or earlier, you are vulnerable.

Check Version:

wp plugin get betterlinks --field=version

Verify Fix Applied:

After updating, verify BetterLinks plugin shows version 1.6.1 or later in WordPress admin plugins list.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to BetterLinks admin endpoints
Multiple failed authentication attempts followed by successful BetterLinks API calls

Network Indicators:

Unusual traffic patterns to /wp-admin/admin-ajax.php with BetterLinks-related parameters
Requests to BetterLinks endpoints from unauthorized IP addresses

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND query="action=betterlinks_*" AND NOT user_role="administrator")

📊 Metadata

CVE ID: CVE-2023-45104

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-862

EPSS Score: 0.21% exploit probability (43th percentile)

Published: January 2, 2025

Last Updated: January 23, 2026

🔗 References

https://patchstack.com/database/wordpress/plugin/betterlinks/vulnerability/wordpress-betterlinks-plugin-1-6-0-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45104, you might also want to check these: