WordPress Plugin Vulnerabilities

Hide Dashboard Notifications < 1.3.1 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

Description

The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's settings.

Affects Plugins

Plugin icon
wp-hide-backed-notices
Fixed in 1.3.1

References

CVE
CVE-2024-1955
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d4655236-7dfe-40ae-9d0c-6eacc59af13d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
33bc878b-fa7d-47c8-b95f-68839e3794c8

Timeline

Publicly Published
2024-06-20 (about 1 year ago)
Added
2024-06-20 (about 1 year ago)
Last Updated
2024-06-21 (about 1 year ago)

Other

Published
Title
Published
2025-05-16
Title
BERTHA AI <= 1.12.11 - Missing Authorization
Published
2026-04-16
Title
Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
Published
2024-10-09
Title
UserPlus <= 2.0 - Missing Authorization via Multiple Functions
Published
2024-12-11
Title
New User Approve < 2.6.4 - Missing Authorization
Published
2025-01-03
Title
Nexter Blocks < 4.0.8 - Missing Authorization