PT-2024-27606 · WordPress · The Visualizer: Tables/Charts Manager
Krzysztof Zając
·
Published
2024-05-16
·
Updated
2024-05-16
·
CVE-2024-3750
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
The Visualizer: Tables and Charts Manager for WordPress versions up to, and including, 3.10.15
Description
The issue is related to a missing capability check on the
getQueryData() function, allowing authenticated attackers with subscriber-level access and above to perform arbitrary SQL queries. This can lead to privilege escalation and other actions.Recommendations
For versions up to, and including, 3.10.15, update to a version that includes a fix for the missing capability check on the
getQueryData() function.
As a temporary workaround, consider restricting access to the getQueryData() function to prevent authenticated attackers from performing arbitrary SQL queries.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Visualizer: Tables/Charts Manager