CVE-2024-1380

EPSS 50.19%
Veröffentlicht 13.03.2024 16:15:20
Zuletzt bearbeitet 08.04.2026 18:20:35
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Relevanssi – A Better Search <= 4.22.0 (Free) and <= 2.25.0 (Premium) - Missing Authorization to Unauthenticated Query Log Export

The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0 (Free) and 2.25.0 (Premium). This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.

Mögliche Gegenmaßnahme

Relevanssi – A Better Search: Update to version 4.22.1, or a newer patched version

Relevanssi Premium: Update to version 2.25.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Relevanssi ≫ Relevanssi SwPlatformwordpress Version < 4.22.1

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Relevanssi – A Better Search

Version *-4.22.0

SystemWordPress Plugin

≫

Produkt Relevanssi Premium

Version *-2.25.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	50.19%	0.988

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033880%40relevanssi&new=3033880%40relevanssi&sfp_email=&sfph_mail=

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/7b2a3b17-0551-4e02-8e6a-ae8d46da0ef8?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/7b2a3b17-0551-4e02-8e6a-ae8d46da0ef8

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-1380

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1380

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1380

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-1380