ConvertKit < 2.4.9.1 – Missing Authorization | CVE 2024-3961 | Plugin Vulnerabilities

Description

The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded.

Affects Plugins

Fixed in 2.4.9.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/79d828b8-aea2-4705-ae23-ac70133a6c3e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

1337_Wannabe

Verified

No

WPVDB ID

3a7517e6-f1a0-4fb7-b331-decc78b4f532

Timeline

Publicly Published

2024-06-20 (about 2 years ago)

Added

2024-06-20 (about 2 years ago)

Last Updated

2024-06-21 (about 2 years ago)

Other

Published

Title

Published

2025-11-04

Title

Document Embedder – Embed PDFs, Word, Excel, and Other Files < 2.0.1 - Missing Authorization to Unauthenticated Document Manipulation

Published

2023-11-07

Title

Ecwid Ecommerce Shopping Cart < 6.12.4 - Missing Authorization on multiple functions

Published

2024-11-12

Title

Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Order Deletion

Published

2026-01-05

Title

Traveler < 3.2.7 - Missing Authorization

Published

2025-12-18

Title

HomeFix Elementor Portfolio <= 1.0.1 - Missing Authorization