CVE-2024-0324

EPSS 2.43%
Veröffentlicht 05.02.2024 22:15:59
Zuletzt bearbeitet 08.04.2026 17:17:20
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

User Profile Builder <= 3.10.8 - Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.

Mögliche Gegenmaßnahme

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor: Update to version 3.10.9, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cozmoslabs ≫ Profile Builder SwPlatformwordpress Version <= 3.10.8

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Version *-3.10.8

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.43%	0.821

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security@wordfence.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/WordpressPluginDirectory/profile-builder/blob/main/profile-builder/admin/admin-functions.php#L517

Product

https://plugins.trac.wordpress.org/changeset/3022354/

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/23caef95-36b6-40aa-8dd7-51a376790a40?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/23caef95-36b6-40aa-8dd7-51a376790a40

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-0324

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-0324

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-0324

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-0324