WordPress Plugin Vulnerabilities

Spice Starter Sites <= 1.2.5 - Missing Authorization to Unauthenticated Demo Content Import

Description

The Spice Starter Sites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the spice_starter_sites_importer_creater function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to import demo content.

Affects Plugins

Plugin icon
spice-starter-sites
No known fix

References

CVE
CVE-2024-8430
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ec52337f-bdd1-4632-853b-da86d64751e7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
7628bef2-5420-499e-b987-0caa4521fd4b

Timeline

Publicly Published
2024-09-30 (about 1 year ago)
Added
2024-09-30 (about 1 year ago)
Last Updated
2024-10-01 (about 1 year ago)

Other

Published
Title
Published
2025-11-30
Title
LearnPress < 4.3.0 - Missing Authorization
Published
2023-11-03
Title
Short URL <= 1.6.8 - Missing Authorization via multiple AJAX functions
Published
2025-10-04
Title
Post Grid and Gutenberg Blocks < 2.3.18 - Missing Authorization
Published
2023-09-04
Title
rtMedia for WordPress, BuddyPress and bbPress < 4.6.15 - Missing Authorization to Settings Update
Published
2025-12-28
Title
Discussion Board < 2.5.8 - Missing Authorization