Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce < 1.2.0 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation | CVE 2024-10124 | Plugin Vulnerabilities

Description

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.

Affects Plugins

Fixed in 1.2.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/81e7ab80-7df2-4ef4-80ee-a11d057151c4

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

66294caf-45dd-4767-b924-dbe6203259c0

Timeline

Publicly Published

2024-12-11 (about 1 year ago)

Added

2024-12-11 (about 1 year ago)

Last Updated

2024-12-12 (about 1 year ago)

Other

Published

Title

Published

2024-02-27

Title

Under Construction / Maintenance Mode from Acurax <= 2.6 - Information Exposure

Published

2021-09-01

Title

Gutenberg Template Library & Redux Framework < 4.2.13 - Contributor+ Arbitrary Plugin Installation and Post Deletion

Published

2020-08-04

Title

The Official WordPress Facebook Chat Plugin < 1.6 - Authenticated Options Change to Chat Takeover

Published

2021-10-05

Title

JobSearch WP Job Board < 1.8.2 - Subscriber+ Arbitrary Blog Options Update

Published

2021-04-20

Title

Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Post Deletion