WordPress Plugin Vulnerabilities

Knowledge Base documentation & wiki plugin – BasePress Docs < 2.16.3.4 - Missing Authorization to Authenticated (Subscriber+) Database Update

Description

The Knowledge Base documentation & wiki plugin – BasePress Docs plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the basepress_db_posts_update() function in all versions up to, and including, 2.16.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the database.

Affects Plugins

Plugin icon
basepress
Fixed in 2.16.3.4

References

CVE
CVE-2024-10664
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa6f3c2-0e45-4243-a26d-ba1c702fbe11

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
BrokenAC ignore
Verified
No
WPVDB ID
658b5e09-f8aa-4137-be89-dc69f5921d70

Timeline

Publicly Published
2024-12-03 (about 1 year ago)
Added
2024-12-03 (about 1 year ago)
Last Updated
2024-12-04 (about 1 year ago)

Other

Published
Title
Published
2023-11-28
Title
Export WP Page to Static HTML/CSS < 2.2.0 - Missing Authorization via Multiple AJAX Actions
Published
2024-06-05
Title
Countdown, Coming Soon, Maintenance – Countdown & Clock < 2.7.8.1 - Missing Authorization to Authenticated (Subscriber+) PHP Object Injection
Published
2023-03-07
Title
Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access in Maintenance Mode
Published
2024-12-11
Title
Quietly Insights <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-01-31
Title
AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations <= 1.4.23 - Missing Authorization to Unauthenticated Settings Update