CVE-2024-4410

Name of the Vulnerable Software and Affected Versions IgnitionDeck Crowdfunding Platform plugin for WordPress versions up to, and including, 1.9.8

Description The issue is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This allows authenticated attackers, with subscriber access or higher, to execute various AJAX actions, including changing the permalink structure and plugin settings.

Recommendations For versions up to, and including, 1.9.8, update to a version that includes the necessary capability checks to prevent unauthorized access to AJAX actions. As a temporary workaround, consider restricting access to the ~/classes/class-idf-wizard.php file to minimize the risk of exploitation.