WordPress Plugin Vulnerabilities

Page Builder: Live Composer < 1.5.39 - Missing Authorization

Description

The Page Builder: Live Composer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the dslc_ajax_add_module() function in versions up to, and including, 1.5.38. This makes it possible for authenticated attackers, with author-level access and above, to add modules.

Affects Plugins

Plugin icon
live-composer-page-builder
Fixed in 1.5.39

References

CVE
CVE-2024-32957
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e8b8689-ab6a-426b-9aba-4fa14c455ff1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
661e1500-db75-45c0-b2d2-e9ee773cb4d7

Timeline

Publicly Published
2024-04-23 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2025-12-21
Title
Wappointment <=2.7.2 - Missing Authorization
Published
2025-09-22
Title
WP Events Manager < 2.2.2 - Missing Authorization
Published
2026-01-25
Title
TOP Table Of Contents < 1.4.0 - Missing Authorization
Published
2026-02-09
Title
JobScout < 1.1.8 - Missing Authorization
Published
2023-09-05
Title
Slider Pro < 4.8.7 - Missing Authorization via AJAX actions