PT-2024-26942 · WordPress · The Wheel Of Life: Coaching/Assessment Tool For Life Coach
Lucio Sá
·
Published
2024-06-20
·
Updated
2024-07-15
·
CVE-2024-3627
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress versions up to, and including, 1.1.7
Description
The issue is related to a missing capability check on several functions in the AjaxFunctions.php file. This allows authenticated attackers with subscriber-level access and above to delete arbitrary posts and modify settings.
Recommendations
For versions up to, and including, 1.1.7, update to a version that includes a capability check on the affected functions in the AjaxFunctions.php file to prevent unauthorized modification and data loss. As a temporary workaround, consider restricting access to the AjaxFunctions.php file or the affected functions to minimize the risk of exploitation.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Wheel Of Life: Coaching/Assessment Tool For Life Coach