Rolo Slider <= 1.0.9 – Missing Authorization to Authenticated(Subscriber+) Settings Change | CVE 2024-1438 | Plugin Vulnerabilities

Description

The Rolo Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_callback' function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber access and above, to modify the plugin's settings via the import functionality.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9fdf6c97-6fc4-4840-b96d-e194149861e4

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Emili Castells

Verified

No

WPVDB ID

2f88dc98-bb41-4f98-a8d4-3ab2ff9e4b2c

Timeline

Publicly Published

2024-02-26 (about 2 years ago)

Added

2024-02-28 (about 2 years ago)

Last Updated

2024-02-28 (about 2 years ago)

Other

Published

Title

Published

2022-06-06

Title

Qubely < 1.8.1 - Authenticated Arbitrary Settings Update

Published

2023-10-19

Title

MW WP Form < 5.0.0 - Missing Authorization

Published

2026-02-13

Title

BlueSnap Payment Gateway for WooCommerce < 3.4.1 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation

Published

2025-12-10

Title

Comparimager for Elementor <= 1.0.1 - Missing Authorization

Published

2025-12-22

Title

Telegram Widget and Join Link < 2.2.13 - Missing Authorization