Plugin Groups < 2.0.7 – Missing Authorization to Unauthenticated Denial of Service | CVE 2024-1108 | Plugin Vulnerabilities

Description

The Plugin Groups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_init() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to change the settings of the plugin, which can also cause a denial of service due to a misconfiguration.

Affects Plugins

Fixed in 2.0.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8298f1fb-3165-40e3-9192-805a07c14cae

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

5c3ffde5-1c3a-4934-b3a8-cced028cc47b

Timeline

Publicly Published

2024-02-20 (about 2 years ago)

Added

2024-02-20 (about 2 years ago)

Last Updated

2024-02-20 (about 2 years ago)

Other

Published

Title

Published

2023-12-07

Title

Awesome Support < 6.1.8 - Missing Authorization

Published

2025-03-27

Title

RomethemeKit For Elementor < 1.5.5 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Published

2023-12-26

Title

Essential Blocks for Gutenberg < 4.2.1 - Subscriber+ Unauthorised Actions

Published

2024-07-15

Title

Brizy – Page Builder < 2.4.45 - Missing Authorization to Authenticated (Contributor+) Post Modification

Published

2025-07-19

Title

Breeze Checkout <= 1.4.0 - Missing Authorization