WordPress Plugin Vulnerabilities

PostX – Gutenberg Blocks for Post Grid < 3.2.4 - Incorrect Authorization

Description

The PostX – Gutenberg Blocks for Post Grid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with author-level access and above, to perform several unauthorized actions.

Affects Plugins

Plugin icon
ultimate-post
Fixed in 3.2.4

References

CVE
CVE-2024-31246
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2fd1bd8-dcc2-4c9a-be3f-b0a58992a239

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
movrment
Verified
No
WPVDB ID
9bdcb3dc-07aa-4ca5-aacb-1ee5c2b8256f

Timeline

Publicly Published
2024-04-05 (about 3 months ago)
Added
2024-04-11 (about 2 months ago)
Last Updated
2024-04-11 (about 2 months ago)

Other

Published
Title
Published
2022-11-21
Title
AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation
Published
2023-11-16
Title
Jetpack < 12.7 - Improper Authorization via WPCom External Media REST endpoints
Published
2024-06-19
Title
Depicter < 3.1.0 - Authenticated (Contributor+) Arbitrary Nonce Generation
Published
2021-09-29
Title
Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload
Published
2022-11-14
Title
Transposh WordPress Translation <= 1.0.8 - Settings Update via Authorization Bypass