PT-2024-16120 · Unknown+1 · Carbon Fields+2
Brokenac Ignore
·
Published
2024-11-22
·
Updated
2024-11-23
·
CVE-2024-10216
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The WP User Manager – User Profile Builder & Membership plugin for WordPress versions up to, and including, 2.9.11
Description
The issue is related to a missing capability check on the
add sidebar and remove sidebar functions. This allows authenticated attackers with Subscriber-level access and above to add or remove a Carbon Fields custom sidebar if the Carbon Fields plugin is installed.Recommendations
For versions up to, and including, 2.9.11, consider disabling the
add sidebar and remove sidebar functions until a patch is available to prevent unauthorized modification of data. Restrict access to the Carbon Fields custom sidebar to minimize the risk of exploitation.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Carbon Fields
Wp User Manager
Wordpress