Engineervix

**Name of the Vulnerable Software and Affected Versions** Wagtail versions prior to 6.0.5 and prior to 6.1.2 **Description** Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The issue is not exploitable by an ordinary site visitor without access to the Wagtail admin. **Recommendations** For Wagtail versions prior to 6.0.5, upgrade to version 6.0.5 or later. For Wagtail versions prior to 6.1.2, upgrade to version 6.1.2 or later. As a temporary workaround for `ModelViewSet`, consider registering the model as a snippet instead. Note that no workaround is available for `wagtail.contrib.settings`.