WordPress Plugin Vulnerabilities

WP Setup Wizard < 1.0.8.2 - Authenticated (Subscriber+) Full Database Download

Description

The WP Setup Wizard plugin for WordPress is vulnerable to unauthorized access of datadue to a missing capability check in all versions up to, and including, 1.0.8.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to download the entire database.

Affects Plugins

Plugin icon
wp-setup-wizard
Fixed in 1.0.8.2

References

CVE
CVE-2024-25917
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f46b01e4-1022-45aa-8511-6d2519e4e562

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
3dd47c9a-e05a-49ca-a0ec-792a9845bab2

Timeline

Publicly Published
2024-02-14 (about 2 years ago)
Added
2024-02-20 (about 2 years ago)
Last Updated
2024-02-20 (about 2 years ago)

Other

Published
Title
Published
2022-09-07
Title
Frontend File Manager < 21.3 - Unauthenticated File Renaming
Published
2024-06-06
Title
Podlove Web Player < 5.7.4 - Missing Authorization to Unauthenticated Information Exposure
Published
2026-01-19
Title
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) < 1.119.9 - Missing Authorization to Unauthenticated Order Status Modification
Published
2025-07-15
Title
URL Shortener <= 3.0.7 - Missing Authorization
Published
2026-04-29
Title
Wallet System for WooCommerce – Digital Wallet, Buy Now Pay Later (BNPL), Instant Cashback, Referral program, Partial & Subscription Payments < 2.7.6 - Missing Authorization