WordPress Plugin Vulnerabilities

PilotPress < 2.0.31 - Subscriber+ Report Access & DB Transients Purging

Description

The plugin is vulnerable to unauthorized access to data and loss of data due to a missing capability check on multiple AJAX functions, allowing authenticated attackers, with subscriber access and above, to view reports and purge database transients.

Affects Plugins

Plugin icon
pilotpress
Fixed in 2.0.31

References

CVE
CVE-2024-23524
URL
https://patchstack.com/database/vulnerability/pilotpress/wordpress-pilotpress-plugin-2-0-29-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Nguyen Xuan Chien
Verified
No
WPVDB ID
184f13bc-b993-43f7-9d1e-4243d9bdddba

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-03-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-24
Title
FV Thoughtful Comments < 0.3.6 - Missing Authorization
Published
2025-12-25
Title
Frontend Post Submission Manager Lite < 1.2.7 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion
Published
2022-11-28
Title
Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
Published
2025-01-16
Title
Sur.ly <= 3.0.3 - Missing Authorization
Published
2025-10-29
Title
Debug Log Viewer < 2.0.4 - Missing Authorization