Forex Calculators < 1.3.8 – Missing Authorization to Authenticated (Subscriber+) Settings Update | CVE 2024-13716 | Plugin Vulnerabilities

Description

The Forex Calculators plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_settings_callback() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

Affects Plugins

Fixed in 1.3.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/49ce8ca1-c1ae-4dda-909e-70c3b6d2b561

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

4b22e7b0-4589-4019-a3e2-8a41a5199bc3

Timeline

Publicly Published

2025-02-27 (about 1 year ago)

Added

2025-02-27 (about 1 year ago)

Last Updated

2025-03-03 (about 1 year ago)

Other

Published

Title

Published

2025-12-11

Title

URL Media Uploader <= 1.0.1 - Missing Authorization to Authenticated (Contributor+) Safe File Upload

Published

2023-10-12

Title

Nexter < 2.0.4 - Missing Authorization

Published

2025-03-14

Title

School Management System – WPSchoolPress < 2.2.17 - Missing Authorization to Arbitrary User Deletion

Published

2025-10-03

Title

GiveWP – Donation Plugin and Fundraising Platform < 4.10.1 - Missing Authorization to Unauthenticated Forms-Campaign Association

Published

2025-09-22

Title

Editor Custom Color Palette <= 3.5.4 - Missing Authorization