WordPress Plugin Vulnerabilities

Notibar < 2.1.5 - Missing Authorization via ajax_install_plugin

Description

The Notibar plugin for WordPress is vulnerable to unauthorized plugin activation due to a missing capability check on the ajax_install_plugin() function in versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with contributor-level access and above, to activate a pre-defined plugin.

Affects Plugins

Plugin icon
notibar
Fixed in 2.1.5

References

CVE
CVE-2024-54269
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8567a7d7-4f4b-41de-a4e2-03f22f429774

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jingle Bells
Verified
No
WPVDB ID
7a73782e-34b8-4759-bedb-2055d91c8311

Timeline

Publicly Published
2024-12-11 (about 1 year ago)
Added
2024-12-19 (about 1 year ago)
Last Updated
2024-12-19 (about 1 year ago)

Other

Published
Title
Published
2024-12-14
Title
Spreadr Woocommerce < 1.0.5 - Missing Authorization to Arbitrary Content Deletion
Published
2025-05-06
Title
PGS Core < 5.9.0 - Missing Authorization via Multiple Functions
Published
2023-11-28
Title
LadiApp <= 4.4 - Missing Authorization
Published
2025-11-20
Title
ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.2 - Missing Authorization to Authenticated (Subscriber+) Role Removal
Published
2023-10-12
Title
wpDiscuz < 7.6.12 - Missing Authorization in AJAX Actions