WordPress Plugin Vulnerabilities

Check & Log Email < 1.0.10 - Unauthenticated Hook Injection

Description

The plugin is vulnerable to Unauthenticated Hook Injection via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement.

Affects Plugins

Plugin icon
check-email
Fixed in 1.0.10

References

CVE
CVE-2024-0866
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae9307c-680c-43c7-8246-a3e6149c1fb6

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Sean Murphy
Verified
No
WPVDB ID
2dcbbc1e-76cb-4200-990c-daedfb56d3cd

Timeline

Publicly Published
2024-03-25 (about 2 years ago)
Added
2024-03-26 (about 2 years ago)
Last Updated
2024-03-26 (about 2 years ago)

Other

Published
Title
Published
2026-01-21
Title
Beaver Builder < 2.9.4.2 - Contributor+ Remote Code Execution
Published
2025-01-03
Title
Dynamics 365 Integration < 1.3.24 - Contributor+ RCE and Arbitrary File Read
Published
2016-08-02
Title
wSecure Lite <= 2.3 - Remote Code Execution (RCE)
Published
2025-11-07
Title
Better Find and Replace < 1.7.8 - Authenticated (Subscriber+) Limited Code Injection
Published
2014-09-27
Title
Advanced Access Manager 2.8.2 - Admin User File Read/Write