PT-2024-18361 · WordPress · Autowriter
Lucio Sá
·
Published
2024-04-09
·
Updated
2024-04-10
·
CVE-2024-1850
CVSS v3.1
6.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
AutoWriter plugin for WordPress versions up to, and including, 3.3
Description
The issue allows authenticated attackers with subscriber access or higher to access, modify, or delete posts due to a missing capability check on functions hooked by AJAX actions. This enables them to view all posts generated with the plugin, including those in non-published status, create and publish new posts, publish unpublished posts, or perform post deletions.
Recommendations
For AutoWriter plugin for WordPress versions up to, and including, 3.3, update to a version higher than 3.3 to resolve the issue.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Autowriter