Accordion < 2.2.97 – Missing Authorization to Authenticated(Contributor+) Post Duplication | CVE 2024-1641 | Plugin Vulnerabilities

Description

The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'accordions_duplicate_post_as_draft' function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts.

Affects Plugins

Fixed in 2.2.97

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e7c70-4d07-4550-9cf8-5135b87b67ca

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

6059553e-9a4e-4ad0-b794-761fbdfc3bd1

Timeline

Publicly Published

2024-03-13 (about 2 months ago)

Added

2024-03-13 (about 2 months ago)

Last Updated

2024-03-13 (about 2 months ago)

Other

Published

Title

Published

2024-02-20

Title

Simple Job Board < 2.11.0 - Missing Authorization to Unauthenticated Information Disclosure

Published

2024-04-09

Title

Soledad < 8.4.6 - Missing Authorization

Published

2023-04-19

Title

miniOrange's Google Authenticator < 5.6.6 - Missing Authorization to Plugin Settings Change

Published

2024-04-05

Title

WordPress Gallery Plugin – NextGEN Gallery < 3.59.1 - Missing Authorization to Unauthenticated Information Disclosure

Published

2023-08-09

Title

User Activity Log < 1.6.6 - Subscriber+ Log Export