WordPress Plugin Vulnerabilities

12 Step Meeting List < 3.14.29 - Subscriber+ CSV Download

Description

The plugin does not have authorisation in its csv AJAX action, allowing any authenticated users, such a subscriber to export meetings and gain access to sensitive information

Affects Plugins

Plugin icon
12-step-meeting-list
Fixed in 3.14.29

References

CVE
CVE-2024-22296
URL
https://patchstack.com/database/vulnerability/12-step-meeting-list/wordpress-12-step-meeting-list-plugin-3-14-26-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
emad
Verified
Yes
WPVDB ID
21056aff-ce28-4fdc-ac62-fdc6bce72ad4

Timeline

Publicly Published
2024-01-17 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-02-12 (about 2 years ago)

Other

Published
Title
Published
2024-10-21
Title
Smart Manager < 8.46.0 - Missing Authorization
Published
2025-12-12
Title
Directory Pro <= 2.5.6 - Missing Authorization
Published
2024-08-16
Title
Radio Player < 2.0.74 - Missing Authorization to Player Deletion
Published
2026-03-23
Title
PPWP – Password Protect Pages < 1.9.16 - Missing Authorization
Published
2025-01-24
Title
Admin and Site Enhancements (ASE) < 7.6.3 - Missing Authorization