WordPress Plugin Vulnerabilities

Colibri Page Builder < 1.0.249 - Missing Authorization

Description

The Colibri Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_colibri_page_builder_wpmu_setting AJAX action in all versions up to, and including, 1.0.248. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify settings.

Affects Plugins

Plugin icon
colibri-page-builder
Fixed in 1.0.249

References

CVE
CVE-2024-28004
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9759e1f0-e134-4c7f-88aa-63dbae7067f1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
71baa6c5-ca7e-4f0e-8c7f-140b5740f3eb

Timeline

Publicly Published
2024-03-26 (about 2 years ago)
Added
2024-05-09 (about 2 years ago)
Last Updated
2024-05-09 (about 2 years ago)

Other

Published
Title
Published
2025-12-31
Title
QuadLayers TikTok Feed <= 4.6.4 - Missing Authorization
Published
2026-02-19
Title
Download Manager < 3.3.53 - Missing Authorization
Published
2026-05-01
Title
Paid Memberships Pro < 3.6.6 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption
Published
2025-06-12
Title
Arconix FAQ < 1.9.7 - Missing Authorization
Published
2023-11-08
Title
Elementor Website Builder < 3.16.5 - Missing Authorization to Arbitrary Attachment Read