Admin Bar Remover < 1.0.23 – Missing Authorization to Authenticated (Subscriber+) Settings Update | CVE 2024-1716 | Plugin Vulnerabilities

Description

The Admin Bar Remover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_form() function in all versions up to, and including, 1.0.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable or disable the admin bar on the front-end of the site.

Affects Plugins

Fixed in 1.0.23

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/dfbf2556-0509-4d8a-8949-494c6bc82ea1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

8086d0e1-2492-4d08-919f-e52ed6c2bcf0

Timeline

Publicly Published

2024-04-26 (about 2 years ago)

Added

2024-04-26 (about 2 years ago)

Last Updated

2024-04-26 (about 2 years ago)

Other

Published

Title

Published

2024-11-08

Title

Top Store < 1.5.5 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Published

2023-08-18

Title

WooCommerce PDF Invoice Builder < 1.2.92 - Subscriber+ Arbitrary Invoice Access

Published

2025-04-23

Title

Flynax Bridge < 2.2.1 - Unauthenticated Privilege Escalation via Account Takeover

Published

2026-01-21

Title

Anything Order by Terms <= 1.4.0 - Missing Authorization

Published

2023-02-21

Title

WP OAuth Server < 4.3.0 - Subscriber+ Arbitrary Client Deletion