PT-2024-32074 · WordPress · Wp Reset
Foxyyy
+1
·
Published
2024-06-07
·
Updated
2024-10-31
·
CVE-2024-4661
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WP Reset plugin for WordPress versions up to, and including, 2.02
Description
The issue is related to a missing capability check on the
save ajax function, allowing authenticated attackers with subscriber-level access and above to modify the value of the License Key field for the Activate Pro License setting. This enables unauthorized modification of data.Recommendations
For WP Reset plugin for WordPress versions up to, and including, 2.02: Update the plugin to a version that includes a fix for the missing capability check on the
save ajax function. As a temporary workaround, consider restricting access to the save ajax function to prevent unauthorized modification of the License Key field.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Reset