WordPress Plugin Vulnerabilities

Load More Anything < 3.3.4 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
ajax-load-more-anything
Fixed in 3.3.4

References

CVE
CVE-2024-24704
URL
https://patchstack.com/database/vulnerability/ajax-load-more-anything/wordpress-load-more-anything-plugin-3-3-3-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Elliot
Verified
No
WPVDB ID
51f399bc-e9ca-45cd-a249-181d0ca5e504

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-02-04 (about 2 years ago)
Last Updated
2024-02-12 (about 2 years ago)

Other

Published
Title
Published
2026-03-20
Title
WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover
Published
2024-04-22
Title
Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy < 2.1.2 - Unauthenticated Arbitrary Content Deletion
Published
2024-01-16
Title
EazyDocs < 2.4.0 - Subscriber+ Arbitrary Posts Deletion and Document Management
Published
2025-06-25
Title
Post Carousel Slider for Elementor < 1.7.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function
Published
2025-01-08
Title
Greenshift – animation and page builder blocks < 9.0.1 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross-Site Scripting