WordPress Plugin Vulnerabilities

DiveBook <= 1.1.4 - Improper Authorisation Check

Description

An authorisation issue is present in the DiveBook "Add New Dive" feature, allowing anonymous users to create a new dive entry with a crafted HTTP POST request.

Affects Plugins

Plugin icon
divebook
No known fix

References

CVE
CVE-2020-14205
URL
https://www.hooperlabs.xyz/disclosures/divebook.php

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Hooper Labs
Verified
No
WPVDB ID
cfd832da-e190-4cfc-813c-0c08ad10bd38

Timeline

Publicly Published
2020-12-09 (about 3 years ago)
Added
2020-12-09 (about 3 years ago)
Last Updated
2020-12-10 (about 3 years ago)

Other

Published
Title
Published
2024-05-03
Title
SimpleShop < 2.10.1 - Cross-Site Request Forgery
Published
2022-06-27
Title
miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting
Published
2024-01-24
Title
Views for WPForms < 3.2.3 - Missing Authorization via save_view
Published
2021-04-14
Title
BuddyPress < 7.3.0 - Multiple Authenticated REST API Vulnerabilities
Published
2024-02-12
Title
Sunshine Photo Cart: Free Client Galleries for Photographers < 3.1 - Unauthenticated Sensitive Information Exposure via Invoice