CVE-2024-8106

Name of the Vulnerable Software and Affected Versions: The Ultimate WordPress Toolkit – WP Extended plugin for WordPress versions up to, and including, 3.0.8

Description: The issue allows authenticated attackers with Subscriber-level access and above to extract sensitive data, including usernames, hashed passwords, and emails, via the download user ajax function. This makes it possible for attackers to obtain sensitive information.

Recommendations: For versions up to, and including, 3.0.8, consider disabling the download user ajax function as a temporary workaround until a patch is available. Restrict access to sensitive data and limit Subscriber-level access to minimize the risk of exploitation.