CVE-2023-7014 in Author Box, Guest Author and Co-Authors for Your Posts Plugin
Summary
by MITRE • 02/06/2024
The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.7.4 via the 'ma_debu' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including post author emails and names if applicable.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The CVE-2023-7014 vulnerability affects the Molongui plugin for WordPress, specifically targeting the Author Box, Guest Author and Co-Authors functionality. This security flaw exists in all versions up to and including 4.7.4, representing a critical exposure that undermines the confidentiality of user data within WordPress environments. The vulnerability stems from improper input validation and output sanitization within the plugin's debugging mechanism, creating an avenue for unauthorized data retrieval.
The technical exploitation occurs through the 'ma_debu' parameter which is intended for debugging purposes but fails to properly authenticate or authorize access requests. When this parameter is manipulated by an unauthenticated attacker, it triggers the plugin to disclose sensitive information including post author email addresses and personal names. This represents a direct violation of data protection principles and exposes personal information that should remain confidential within the WordPress ecosystem. The vulnerability manifests as a sensitive data exposure issue that aligns with CWE-200, which specifically addresses the exposure of sensitive information to unauthorized actors.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable more sophisticated attacks such as social engineering campaigns, credential harvesting, or targeted phishing attempts. Attackers can systematically gather author information across multiple WordPress sites using the same exploitation technique, creating comprehensive profiles of content creators and contributors. This exposure particularly affects WordPress installations where multiple authors contribute content, as it provides attackers with a systematic way to identify and target individuals within the blogging community. The vulnerability also violates fundamental security principles outlined in the OWASP Top Ten, specifically addressing the exposure of sensitive data and weak access control mechanisms.
Mitigation strategies for CVE-2023-7014 require immediate action including updating to the latest plugin version where the vulnerability has been patched. Administrators should also implement network-level protections such as firewall rules to restrict access to debugging parameters and consider implementing web application firewalls that can detect and block malicious parameter manipulation attempts. The ATT&CK framework categorizes this vulnerability under T1213 - Data from Information Repositories, as it involves unauthorized access to stored information. Additionally, organizations should conduct thorough security audits to identify any other plugins or components that might expose similar debugging interfaces without proper access controls, as this vulnerability type often indicates broader architectural weaknesses in plugin security design.