WordPress Plugin Vulnerabilities

DELUCKS SEO < 2.5.5 - Missing Authorization

Description

The DELUCKS SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_uninstall_reason() function in versions up to, and including, 2.5.4. This makes it possible for unauthenticated attackers to send an uninstall reason to the plugin's vendor on behalf of the site owner.

Affects Plugins

Plugin icon
delucks-seo
Fixed in 2.5.5

References

CVE
CVE-2024-30538
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4653f0fd-5369-4e3c-9bce-3f4200c0bddb

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
47d5ee00-dddb-4b0a-8130-b06e61796442

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2025-03-27
Title
Exchange Rates < 1.2.3 - Missing Authorization
Published
2023-12-27
Title
Doofinder for WooCommerce < 2.1.1 - Missing Authorization via multiple AJAX actions
Published
2025-10-08
Title
Salient Core < 3.0.9 - Missing Authorization
Published
2025-10-21
Title
Persian Admnin Fonts < 4.1.05 - Missing Authorization
Published
2025-07-30
Title
WpEvently < 4.4.7 - Missing Authorization