SecuriTricks - CVE-2024-7621

Description

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin's settings.

Product(s) Impacted

Product	Versions
Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress	up to 4.0.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://plugins.trac.wordpress.org/browser/atarim-visual-collaboration/trunk/inc/wpf_function.php?rev=3116009#L235

https://plugins.trac.wordpress.org/changeset/3133163/atarim-visual-collaboration/trunk/inc/wpf_function.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/7f17e055-ad49-4115-89c5-dd76b6c531f7?source=cve

CVSS Score

5.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: Aug. 12, 2024, 1:38 p.m.
Last Modified: Aug. 12, 2024, 1:41 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security@wordfence.com

CVE-2024-7621