WordPress Plugin Vulnerabilities

Htaccess File Editor < 1.0.19 - Missing Authorization

Description

The Htaccess File Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in the class-htaccess-file-editor-ebwp-notice.php file in versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions.

Affects Plugins

Plugin icon
htaccess-file-editor
Fixed in 1.0.19

References

CVE
CVE-2024-49256
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a706e4eb-cd27-44b1-a023-5e4e075c768d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
3aea999a-0786-443e-a776-a1200e86cd51

Timeline

Publicly Published
2024-10-14 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2024-10-18 (about 1 year ago)

Other

Published
Title
Published
2025-12-31
Title
Easy Upload Files During Checkout < 3.0.1 - Missing Authorization
Published
2023-11-07
Title
EazyDocs < 2.3.6 - Unauthenticated OnePage Document Update/Publish
Published
2025-01-24
Title
FV Thoughtful Comments < 0.3.6 - Missing Authorization
Published
2025-03-27
Title
Chatbox Manager < 1.2.3 - Missing Authorization
Published
2022-10-30
Title
Attorney <= 3 - Unauthenticated Arbitrary Page/Post Deletion