WordPress Plugin Vulnerabilities

RabbitLoader < 2.19.14 - Missing Authorization via multiple AJAX actions

Description

The RabbitLoader plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 2.19.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to purge site cache or switch caching modes.

Affects Plugins

Plugin icon
rabbit-loader
Fixed in 2.19.14

References

CVE
CVE-2024-21751
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/958118ec-437e-45c8-a0f0-6aaf54e60d04

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
1de2f979-6248-46b4-b896-ff42a5e9a8ad

Timeline

Publicly Published
2024-01-08 (about 1 year ago)
Added
2024-01-15 (about 1 year ago)
Last Updated
2024-01-15 (about 1 year ago)

Other

Published
Title
Published
2025-06-12
Title
REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function
Published
2024-07-08
Title
Product Designer < 1.0.34 - Unauthenticated Arbitrary Attachment Deletion
Published
2023-10-16
Title
DX Delete Attached Media < 2.0.6 - Settings Update via CSRF
Published
2025-03-04
Title
WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import
Published
2025-04-24
Title
BM Content Builder < 3.16.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update