4.3

CVE-2024-1158

EPSS 0.16%
Veröffentlicht 13.03.2024 16:15:17
Zuletzt bearbeitet 11.03.2025 13:18:18
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.7 - Missing Authorization

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.

Mögliche Gegenmaßnahme

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC): Update to version 2.8.8, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)

Version *-2.8.7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Themekraft ≫ Buddyforms SwPlatformwordpress Version < 2.8.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.369

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/browser/buddyforms/trunk/includes/admin/admin-ajax.php?rev=2820257#L80

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3046092%40buddyforms%2Ftrunk&old=3031945%40buddyforms%2Ftrunk&sfp_email=&sfph_mail=

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/198cb3bb-73fe-45ae-b8e0-b7ee8dda9547?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/198cb3bb-73fe-45ae-b8e0-b7ee8dda9547

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-1158

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1158

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1158

EUVD