ConvertPlug < 3.5.26 – Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update | CVE 2024-3237 | Plugin Vulnerabilities

Description

The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to true.

Affects Plugins

Fixed in 3.5.26

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0cd72420-dca1-455d-92a6-a178b4b26eab

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

M.Awad

Verified

No

WPVDB ID

2ac53b74-6d6e-4f9e-af49-1b7853d09489

Timeline

Publicly Published

2024-05-03 (about 1 year ago)

Added

2024-05-03 (about 1 year ago)

Last Updated

2024-05-03 (about 1 year ago)

Other

Published

Title

Published

2025-12-24

Title

Website Builder by SeedProd <= 6.19.8 - Missing Authorization

Published

2024-06-21

Title

Kanban Boards for WordPress <= 2.5.21 - Missing Authorization

Published

2024-09-30

Title

Depicter Slider < 3.5.0 - Missing Authorization

Published

2024-08-16

Title

Recipe Card Blocks for Gutenberg & Elementor < 3.3.2 - Missing Authorization

Published

2025-12-15

Title

Listdom < 5.1.0 - Missing Authorization