WordPress Plugin Vulnerabilities

NextMove Lite – Thank You Page for WooCommerce & Finale Lite – Sales Countdown Timer & Discount for WooCommerce <= 2.17.0 - Missing Authorization to Unauthenticated System Information Disclosure

Description

The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack.

Affects Plugins

Plugin icon
woo-thank-you-page-nextmove-lite
Fixed in 2.18.1
Plugin icon
finale-woocommerce-sales-countdown-timer-discount
Fixed in 2.18.0

References

CVE
CVE-2024-1120
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3d9332be-2cf0-46cd-81e4-6436aeec0f83

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
4953af55-67e7-4dfc-af62-71e5944cc23c

Timeline

Publicly Published
2024-02-29 (about 2 years ago)
Added
2024-02-29 (about 2 years ago)
Last Updated
2024-02-29 (about 2 years ago)

Other

Published
Title
Published
2026-01-15
Title
All in One SEO < 4.9.3 - Contributor+ AI Access Token and Credit Disclosure
Published
2025-01-25
Title
Quiz Maker Business, Developer, and Agency - Unauthenticated Stored XSS
Published
2024-04-05
Title
Image Watermark < 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Watermark Modification
Published
2023-11-13
Title
Delete Duplicate Posts < 4.9 - Missing Authorization via AJAX Actions
Published
2026-05-02
Title
Event Tickets and Registration < 5.27.6.1 - Missing Authorization