WordPress Plugin Vulnerabilities

Mollie Forms < 2.6.4 - Missing Authorization

Description

The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export payment data collected by this plugin.

Affects Plugins

Plugin icon
mollie-forms
Fixed in 2.6.4

References

CVE
CVE-2024-1645
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/353c244f-6d5d-47d6-988e-33da722a02f9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
e3c845cc-3639-40ba-886d-0ec91f892d74

Timeline

Publicly Published
2024-03-11 (about 2 months ago)
Added
2024-03-11 (about 2 months ago)
Last Updated
2024-03-11 (about 2 months ago)

Other

Published
Title
Published
2023-10-31
Title
WP Customer Reviews < 3.6.7 - Authenticated (Subscriber+) Sensitive Information Exposure
Published
2024-04-05
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.0 - Unauthenticated Arbitrary File Download
Published
2024-02-22
Title
Relevanssi < 4.22.1 - Unauthenticated Query Log Export
Published
2024-01-31
Title
PropertyHive < 2.0.7 - Missing Authorization via activate_pro_feature
Published
2024-03-12
Title
Bulgarisation for WooCommerce < 3.0.15 - Missing Authorization