PT-2024-38479 · WordPress · Opal Membership
Karolina Jankowska
·
Published
2024-08-10
·
Updated
2024-08-12
·
CVE-2024-7648
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Opal Membership plugin for WordPress versions up to and including 1.2.4
Description
The issue allows authenticated attackers with subscriber-level access and above to view private notes that should be restricted to administrators. This is possible due to the utilization of WordPress comments in the private notes functionality on payments.
Recommendations
For Opal Membership plugin for WordPress versions up to and including 1.2.4, consider restricting access to the private notes functionality to minimize the risk of sensitive information exposure until a patch is available. As a temporary workaround, restrict the use of WordPress comments for private notes to prevent unauthorized access.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opal Membership