CVE-2024-1337

Name of the Vulnerable Software and Affected Versions SKT Page Builder plugin for WordPress versions up to, and including, 4.1 Microsoft Outlook client (affected versions not specified)

Description The issue allows for unauthorized modification of data due to a missing capability check on the saveSktbuilderPageData function. This makes it possible for authenticated attackers to inject arbitrary content into pages. Additionally, there are reports of weak session management and a lack of rate limiting on API endpoints. The problem is being actively exploited.

Recommendations For SKT Page Builder plugin for WordPress versions up to, and including, 4.1: Update to a version that includes a fix for the missing capability check on the saveSktbuilderPageData function. For Microsoft Outlook client: Ensure the client is up to date to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the saveSktbuilderPageData function until a patch is available.