WordPress Plugin Vulnerabilities

Plugin Permalink < 2.4.3.2 - Missing Authorization via get_uri_editor

Description

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of all posts.

Affects Plugins

Plugin icon
permalink-manager
Fixed in 2.4.3.2

References

CVE
CVE-2024-2543
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/74f6bf42-3406-47c5-b255-6cc1e8084fb5

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Muhammad Zeeshan (Xib3rR4dAr)
Verified
No
WPVDB ID
5f0ba357-69bc-49ff-a151-fc52a1444a60

Timeline

Publicly Published
2024-03-20 (about 2 years ago)
Added
2024-03-20 (about 2 years ago)
Last Updated
2024-03-20 (about 2 years ago)

Other

Published
Title
Published
2026-02-05
Title
Timeline Block < 1.3.4 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute
Published
2023-07-07
Title
Getnet Argentina para Woocommerce < 0.0.5 - Unauthenticated Authorization Bypass
Published
2025-12-05
Title
Fluent Forms < 6.1.8 - Unauthenticated Payment Status Tampering via IDOR
Published
2024-04-22
Title
BuddyBoss platform < 2.7.60 - Private Comment Exposure via IDOR
Published
2024-10-30
Title
Forminator Forms < 1.36.1 - Unauthenticated Arbitrary Quiz Submissions Update