Finale Lite < 2.18.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation | CVE 2024-30485 | Plugin Vulnerabilities

Description

The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in all versions up to, and including, 2.18.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins.

Affects Plugins

finale-woocommerce-sales-countdown-timer-discount

Fixed in 2.18.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d80199a2-8a12-44f7-ba20-169d7af88c26

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

beluga

Verified

No

WPVDB ID

1dc67485-c920-46eb-afbc-505c5f38b9ad

Timeline

Publicly Published

2024-03-28 (about 2 years ago)

Added

2024-04-04 (about 2 years ago)

Last Updated

2024-04-04 (about 2 years ago)

Other

Published

Title

Published

2023-09-01

Title

Better Elementor Addons < 1.3.9 - Subscriber+ Settings Update / Reset

Published

2024-08-07

Title

Tutor LMS < 2.7.4 - Missing Authorization

Published

2026-01-13

Title

Aplazo Payment Gateway < 1.5.0 - Missing Authorization to Unauthenticated Order Status Manipulation

Published

2026-03-09

Title

Booktics < 1.0.17 - Unauthenticated Get Items via REST API endpoints

Published

2025-07-03

Title

WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Arbitrary User Deletion via ajax_delete_employee Function