8.2
CVE-2024-0324
- EPSS 45.96%
- Veröffentlicht 05.02.2024 22:15:59
- Zuletzt bearbeitet 15.05.2025 20:15:31
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginUser Profile Builder <= 3.10.8 - Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.
Mögliche Gegenmaßnahme
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor: Update to version 3.10.9, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Version
*-3.10.8
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cozmoslabs ≫ Profile Builder SwPlatformwordpress Version <= 3.10.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 45.96% | 0.975 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| security@wordfence.com | 8.2 | 3.9 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.