WordPress Plugin Vulnerabilities

Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio <= 3.6.4 - Missing Authorization

Description

The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with subscriber access or higher, to delete, retrieve, or modify post metadata, retrieve posts contents of protected posts, modify conversion data and delete article audio.

Affects Plugins

Plugin icon
play-ht
No known fix

References

CVE
CVE-2024-0828
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5708a414-7cd8-4926-8871-3248ebf4c39d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
6e0b76d0-b10e-4192-a7fa-bfe562a75f72

Timeline

Publicly Published
2024-02-22 (about 2 years ago)
Added
2024-02-22 (about 2 years ago)
Last Updated
2024-02-22 (about 2 years ago)

Other

Published
Title
Published
2025-04-07
Title
Spider Elements – Addons for Elementor < 1.6.7 - Missing Authorization
Published
2026-01-16
Title
User Registration Using Contact Form 7 < 2.6 - Authenticated (Subscriber+) Information Exposure
Published
2021-12-08
Title
WP Google Map < 1.8.1 - Subscriber+ Map Creation/Update/Deletion
Published
2025-12-03
Title
Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App < 3.6.2 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update
Published
2024-07-18
Title
YITH Essential Kit for WooCommerce #1 < 2.35.0 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation