CVE-2024-13800

Name of the Vulnerable Software and Affected Versions ConvertPlus plugin for WordPress versions up to, and including, 3.5.30

Description The issue allows unauthorized modification of data, potentially leading to a denial of service. This is due to a missing capability check on the 'cp dismiss notice' AJAX endpoint. Authenticated attackers with Subscriber-level access and above can update option values to '1' on the WordPress site, which can be used to create an error on the site, denying service to legitimate users, or to set certain values to true, such as registration.

Recommendations For versions up to, and including, 3.5.30, update to a version higher than 3.5.30 to resolve the issue. As a temporary workaround, consider restricting access to the 'cp dismiss notice' AJAX endpoint until a patch is available.