WordPress Plugin Vulnerabilities

Swift Performance Lite < 2.3.6.19 - Subscriber+ Settings Update

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the ajax_handler() function, allowing authenticated attackers, with subscriber-level access and above, to retrieve and modify settings.

Affects Plugins

Plugin icon
swift-performance-lite
Fixed in 2.3.6.19

References

CVE
CVE-2024-3722
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/58b7736a-e3e0-4ecd-9adf-284568b02ef7

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
6c726e12-2447-48ef-ab50-6416e7d047f7

Timeline

Publicly Published
2024-05-08 (about 2 years ago)
Added
2024-05-08 (about 2 years ago)
Last Updated
2024-05-17 (about 1 year ago)

Other

Published
Title
Published
2023-03-10
Title
GiveWP < 2.25.2 - Contributor+ Arbitrary Content Deletion
Published
2026-01-30
Title
Ajax Load More – Infinite Scroll, Lazy Load & Load More < 7.8.2 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ Arbitrary File Upload
Published
2026-02-17
Title
User Submitted Posts < 20260217 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter
Published
2024-01-05
Title
Icegram < 3.1.22 - Contributor+ Campaign Status Toggle / Duplication