WordPress Plugin Vulnerabilities

Leaky Paywall < 4.20.9 - Missing Authorization to Price Manipulation

Description

The Leaky Paywall plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 4.20.8. This is due to the plugin allowing the price field to be user supplied. This makes it possible for unauthenticated attackers to alter the price of memberships.

Affects Plugins

Plugin icon
leaky-paywall
Fixed in 4.20.9

References

CVE
CVE-2024-33594
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b9f627f0-779c-4d57-a471-ce742e3a5dd5

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Joshua Chan
Verified
No
WPVDB ID
9e351aff-e065-46a4-8508-493459f5733d

Timeline

Publicly Published
2024-04-25 (about 2 months ago)
Added
2024-05-03 (about 2 months ago)
Last Updated
2024-05-03 (about 2 months ago)

Other

Published
Title
Published
2022-03-16
Title
Responsive Menu < 4.1.8 - Subscriber+ Arbitrary File Upload / Theme Deletion / Plugin Settings Update
Published
2021-10-04
Title
Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update
Published
2024-03-12
Title
Awesome Support < 6.1.7 - Insufficient Authorization via wpas_can_delete_attachments()
Published
2024-01-05
Title
WP Job Manager < 2.1.0 - Unauthenticated Job Status Update
Published
2023-08-14
Title
Media from FTP < 11.17 - Author+ Arbitrary File Access