WordPress Plugin Vulnerabilities

ConvertPlus <= 3.4.2 - Unauthenticated Arbitrary User Role Creation

Description

The convertplug WordPress plugin was affected by an Unauthenticated Arbitrary User Role Creation security vulnerability.

Affects Plugins

Plugin icon
convertplug
Fixed in 3.4.3

References

URL
https://www.wordfence.com/blog/2019/05/critical-vulnerability-patched-in-popular-convert-plus-plugin/
URL
https://vimeo.com/339193628
URL
https://www.convertplug.com/plus/version-3-4-3-security-update/

Miscellaneous

Original Researcher
Wordfence Threat Intelligence Team
Submitter
Ryan Dewhurst
Submitter website
https://wpscan.io
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
57bfeb22-f371-43ce-9134-ff695cfc660a

Timeline

Publicly Published
2019-05-29 (about 6 years ago)
Added
2019-05-30 (about 6 years ago)
Last Updated
2019-11-12 (about 6 years ago)

Other

Published
Title
Published
2023-07-27
Title
Change WP Admin < 1.1.4 - Secret Login Page Disclosure
Published
2019-06-21
Title
Seo By Rank Math <= 1.0.27 - Authenticated Settings Reset
Published
2020-03-18
Title
Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints
Published
2026-02-18
Title
Popup Builder < 4.4.3 - Unauthenticated Subscriber Removal via Predictable Tokens
Published
2022-08-01
Title
Download Manager < 3.2.50 - Bypass IP Address Blocking Restriction