WordPress Plugin Vulnerabilities

Cloudflare < 4.12.3 - Missing Authorization via initProxy

Description

The Cloudflare plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'initProxy' function in versions up to and including 4.12.2. This makes it possible for authenticated attackers, with subscriber access and above, to send requests proxied through Cloudflare to arbitrary URLs.

Affects Plugins

Plugin icon
cloudflare
Fixed in 4.12.3

References

CVE
CVE-2024-0212
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/902c0c84-fcae-4ce4-9885-89fd135a4ffd

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.4 (medium)

Miscellaneous

Verified
No
WPVDB ID
309356ef-d9b1-488c-a93e-3074a497214b

Timeline

Publicly Published
2024-01-04 (about 2 years ago)
Added
2024-02-06 (about 2 years ago)
Last Updated
2024-02-06 (about 2 years ago)

Other

Published
Title
Published
2023-12-27
Title
Doofinder for WooCommerce < 2.1.1 - Missing Authorization via multiple AJAX actions
Published
2025-09-05
Title
SoftMe <= 1.1.27 - Missing Authorization
Published
2026-02-26
Title
Post Timeline < 2.4.2 - Missing Authorization
Published
2025-07-07
Title
Guest Support – Complete customer support ticket system for WordPress < 1.2.3 - Missing Authorization to Unauthenticated Ticket Deletion
Published
2025-02-03
Title
Slide Banners <= 1.3 - Missing Authorization