WordPress Plugin Vulnerabilities

Icegram < 3.1.22 - Contributor+ Campaign Status Toggle / Duplication

Description

The plugin does not have proper authorisation when duplicating and toggling campaign status, allowing contributors and above roles to perform such action

Affects Plugins

Plugin icon
icegram
Fixed in 3.1.22

References

CVE
CVE-2024-21748
URL
https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-20-broken-access-control-vulnerability

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Huynh Tien Si
Verified
Yes
WPVDB ID
25094f46-faec-46c8-a3d4-c77d3845cb2e

Timeline

Publicly Published
2024-01-05 (about 2 years ago)
Added
2024-01-12 (about 2 years ago)
Last Updated
2024-02-28 (about 2 years ago)

Other

Published
Title
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ SSRF
Published
2023-11-21
Title
Abandoned Cart Lite for WooCommerce < 5.16.1 - Improper Authorization via wcal_delete_expired_used_coupon_code
Published
2022-05-09
Title
Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update
Published
2022-07-25
Title
Flipbox < 2.6.1 - Authenticated Arbitrary Options Update
Published
2023-03-10
Title
GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion