4.3
CVE-2024-7721
- EPSS 0.19%
- Veröffentlicht 11.09.2024 05:15:03
- Zuletzt bearbeitet 18.09.2024 18:01:01
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginHTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled.
Mögliche Gegenmaßnahme
HTML5 Video Player – Embed and Play Videos in Custom Player: Update to version 2.5.35, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
HTML5 Video Player – Embed and Play Videos in Custom Player
Version
*-2.5.34
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Bplugins ≫ Html5 Video Player SwPlatformwordpress Version < 2.5.35
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.415 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
| security@wordfence.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.