WP STAGING <= 3.4.3 and WP STAGING Pro <= 5.4.3 – Sensitive Information Exposure via Log File | CVE 2024-3682 | Plugin Vulnerabilities

Description

The WP STAGING and WP STAGING Pro plugins for WordPress are vulnerable to Sensitive Information Exposure in versions up to, and including, 3.4.3, and versions up to, and including, 5.4.3, respectively, via the ajaxSendReport function. This makes it possible for unauthenticated attackers to extract sensitive data from a log file, including system information and (in the Pro version) license keys. Successful exploitation requires an administrator to have used the 'Contact Us' functionality along with the "Enable this option to automatically submit the log files." option.

Affects Plugins

Fixed in 3.5.0

Fixed in 5.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/75eab54b-dbe0-4440-b4ab-601c5041e180

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

haidv35

Verified

No

WPVDB ID

04fa4230-3580-417a-83ed-35d850a31ada

Timeline

Publicly Published

2024-04-25 (about 2 years ago)

Added

2024-04-25 (about 2 years ago)

Last Updated

2024-04-25 (about 2 years ago)

Other

Published

Title

Published

2025-08-14

Title

B Slider - Gutenberg Slider Block for WP < 2.0.1 - Authenticated (Subscriber+) Sensitive Information Exposure

Published

2025-06-27

Title

Accept Stripe Payments Using Contact Form 7 < 3.1 - Unauthenticated Information Exposure

Published

2024-12-10

Title

Members < 3.2.11 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Published

2024-11-20

Title

Sky Addons for Elementor < 2.6.2 - Authenticated (Contributor+) Sensitive Information Exposure via Content Switcher Widget Elementor Template

Published

2025-02-17

Title

1 Click WordPress Migration Plugin – 100% FREE for a limited time < 2.3 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php