WordPress Plugin Vulnerabilities

Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The Whizzy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.18 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
whizzy
No known fix

References

CVE
CVE-2024-30543
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ededa54-654f-48dc-87d5-7321e041e6fb

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
1403caf6-b375-405e-9706-65d5728fecc3

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2026-01-05
Title
Woffice Core < 5.4.31 - Unauthenticated Insecure Direct Object Reference
Published
2026-01-23
Title
Extensions For CF7 < 3.4.1 - Authenticated (Contributor+) Insecure Direct Object Reference
Published
2026-05-12
Title
Tutor LMS < 3.9.10 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
Published
2026-05-04
Title
Forminator < 1.52.1 - Unauthenticated Missing Authorization to Payment Bypass
Published
2024-08-15
Title
Custom Field For WP Job Manager < 1.3 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode