6.5
CVE-2024-5940
- EPSS 0.47%
- Veröffentlicht 20.08.2024 02:15:04
- Zuletzt bearbeitet 26.08.2024 18:14:14
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginGiveWP – Donation Plugin and Fundraising Platform <= 3.13.0 - Missing Authorization to Unauthenticated Event Settings Update
GiveWP – Donation Plugin and Fundraising Platform <= 3.13.0 - Missing Authorization to Unauthenticated Event Settings Update
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled.
Mögliche Gegenmaßnahme
GiveWP – Donation Plugin and Fundraising Platform: Update to version 3.14.0, or a newer patched version
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.47% | 0.367 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| security@wordfence.com | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://plugins.trac.wordpress.org/changeset/3120745/
https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/EventTickets/Routes/UpdateEvent.php#L81
https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/EventTickets/Routes/UpdateEventTicketType.php#L78
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3cda8d0-321c-4b15-980e-5ebf49fac367?source=cve
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3cda8d0-321c-4b15-980e-5ebf49fac367