WordPress Plugin Vulnerabilities

SalesKing < 1.6.30 - Missing Authorization to Settings Change

Description

The SalesKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in all versions up to, and including, 1.6.15. This makes it possible for unauthenticated attackers to modify plugin settings.

Affects Plugins

Plugin icon
salesking
Fixed in 1.6.30

References

CVE
CVE-2024-22156
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c86f157e-e7f2-4b00-977c-c4cc7c2b3b0b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
45e6ec6c-e80a-4338-a3c7-6c910f92d55b

Timeline

Publicly Published
2024-01-16 (about 2 years ago)
Added
2024-01-22 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-02-25
Title
WeDesignTech Ultimate Booking Addon < 1.0.4 - Missing Authorization
Published
2024-04-05
Title
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.4.3 - Missing Authorization to Unauthenticated Settings Reset
Published
2023-11-14
Title
Restaurant & Cafe Addon for Elementor < 1.5.3 - Missing Authorization
Published
2024-02-20
Title
WooCommerce Google Sheet Connector < 1.3.12 - Missing Authorization
Published
2025-12-31
Title
Sliper for Elementor <= 1.0.10 - Missing Authorization