WordPress Plugin Vulnerabilities

ApplyOnline – Application Form Builder and Manager < 2.6.3 - Unauthenticated Application File Access

Description

The plugin does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain

Proof of Concept

Affects Plugins

Plugin icon
apply-online
Fixed in 2.6.3

References

CVE
CVE-2024-10098

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Arian Mosallah
Submitter
Arian Mosallah
Submitter website
https://forti.fi
Verified
Yes
WPVDB ID
242dac1f-9a1f-4fde-b8c7-374bd451071d

Timeline

Publicly Published
2024-07-25 (about 1 year ago)
Added
2024-10-31 (about 1 year ago)
Last Updated
2024-10-31 (about 1 year ago)

Other

Published
Title
Published
2024-03-13
Title
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form < 2.10.2 - Unauthenticated Insecure Direct Object Reference to Form Submission Alteration
Published
2023-10-09
Title
WordPress File Sharing Plugin < 2.0.5 - Subscriber+ Sensitive Data and Files Exposure via IDOR
Published
2024-04-25
Title
Crelly Slider < 1.4.6 - Subscriber+ Insecure Direct Object Reference
Published
2025-11-20
Title
Return Refund and Exchange For WooCommerce < 4.5.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation
Published
2024-01-17
Title
MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure