Bulk Edit Post Titles <= 5.0.0 – Missing Authorization via bulkUpdatePostTitles | CVE 2024-0369 | Plugin Vulnerabilities

Description

The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all versions up to, and including, 5.0.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.

Affects Plugins

bulk-edit-post-titles

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cad19306-6eef-4f80-9442-e7b314b3a873

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

05f51307-75c5-481c-bd4f-4e5f983cc596

Timeline

Publicly Published

2024-02-26 (about 2 years ago)

Added

2024-02-26 (about 2 years ago)

Last Updated

2024-02-26 (about 2 years ago)

Other

Published

Title

Published

2021-09-06

Title

Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update

Published

2024-09-25

Title

Jupiter X Core < 4.7.8 - Limited Unauthenticated Authentication Bypass to Account Takeover

Published

2024-04-08

Title

GamiPress < 6.8.9 - Broken Access Control

Published

2021-04-22

Title

Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via Low Privilege User

Published

2021-01-28

Title

uListing < 1.7 - Unauthenticated Arbitrary Post/Page Deletion