Security Optimizer – The All-In-One Protection Plugin < 1.5.1 – Missing Authorization via hide_notice() | CVE 2024-38774 | Plugin Vulnerabilities

Description

The Security Optimizer – The All-In-One Protection Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hide_notice() function in versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices.

Affects Plugins

Fixed in 1.5.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/679da7c0-98b9-4da0-bf1f-5c991e8a8111

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

81e93640-7d42-4c73-98e4-479af79a3d58

Timeline

Publicly Published

2024-07-19 (about 1 year ago)

Added

2024-07-25 (about 1 year ago)

Last Updated

2024-07-25 (about 1 year ago)

Other

Published

Title

Published

2023-11-16

Title

Live Preview for Contact Form 7 <= 1.2.0 - Missing Authorization via update_option

Published

2024-04-25

Title

WPPizza < 3.18.11 - Missing Authorization

Published

2024-04-15

Title

Custom Order Statuses for WooCommerce <= 1.5.2 - Missing Authorization

Published

2024-02-14

Title

EventPrime – Events Calendar, Bookings and Tickets < 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Event Export

Published

2025-03-31

Title

CF7 Spreadsheets <= 2.3.2 - Missing Authorization to Settings Update