WordPress Plugin Vulnerabilities

Clone < 2.4.6 - Missing Authorization

Description

The Clone plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpa_wpc_ajax_install_new() function in versions up to, and including, 2.4.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to install a backup plugin.

Affects Plugins

Plugin icon
wp-clone-by-wp-academy
Fixed in 2.4.6

References

CVE
CVE-2024-43298
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b3533123-a141-4a15-b8cd-46a2870ecbd6

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
5a2455a5-bc1e-4f2c-8b72-020987a72044

Timeline

Publicly Published
2024-08-16 (about 1 year ago)
Added
2024-08-19 (about 1 year ago)
Last Updated
2024-08-19 (about 1 year ago)

Other

Published
Title
Published
2026-01-19
Title
Custom Fonts – Host Your Fonts Locally < 2.1.17 - Missing Authorization to Unauthenticated Font Deletion
Published
2026-02-18
Title
Ridhi < 1.1.3 - Missing Authorization
Published
2024-04-18
Title
ShopLentor < 2.8.2 - Contributor+ Template Reset
Published
2025-04-01
Title
MyBookProgress by Stormhill Media <= 1.0.8 - Missing Authorization
Published
2025-08-14
Title
WP Statistics < 14.15.2 - Missing Authorization