Back

CVE-2024-4410

July 27, 2024, 2:15 a.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

IgnitionDeck Crowdfunding Platform plugin for WordPress

  • up to 1.9.8

Source

security@wordfence.com

Tags

security@wordfence.com
CWE-862
2024-07-27
CVE-2024-4410

CVE-2024-4410 details

Published : July 27, 2024, 2:15 a.m.
Last Modified : July 27, 2024, 2:15 a.m.

Description

The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others.

CVSS Score

1 2 3 4 5.4 6 7 8 9 10

Weakness

Weakness Name Description
CWE-862 Missing Authorization The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

Base Score

5.4

Exploitability Score

2.8

Impact Score

2.5

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

References

URL Source
https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L1162 security@wordfence.com
https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L186 security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/07b6aad4-fbaf-4c0c-b2b7-6e264a1afb9b?source=cve security@wordfence.com
This website uses the NVD API, but is not approved or certified by it.