PT-2024-15967 · WordPress · Rover Idx Plugin
István Márton
·
Published
2024-10-21
·
Updated
2024-10-25
·
CVE-2024-10002
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rover IDX plugin for WordPress versions up to and including 3.0.0.2905
Description
The issue arises from insufficient validation and capability check on the
rover idx refresh social callback function, allowing authenticated attackers with subscriber-level permissions and above to log in to the administrator.Recommendations
For versions up to and including 3.0.0.2905, update to version 3.0.0.2906 to fully resolve the issue. As a temporary workaround, consider restricting access to the
rover idx refresh social callback function until the update is applied.Fix
Missing Authentication
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rover Idx Plugin