WordPress Plugin Vulnerabilities

HelloAsso < 1.1.11 - Missing Authorization

Description

The HelloAsso plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ha_ajax() function in versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute AJAX actions they should not have access to.

Affects Plugins

Plugin icon
helloasso
Fixed in 1.1.11

References

CVE
CVE-2024-44052
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b316094a-0d69-4712-a395-037ce6f2e59b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
83e89a18-9322-4942-ac03-375603f9fb66

Timeline

Publicly Published
2024-08-29 (about 1 year ago)
Added
2024-09-05 (about 1 year ago)
Last Updated
2024-09-05 (about 1 year ago)

Other

Published
Title
Published
2024-01-17
Title
12 Step Meeting List < 3.14.29 - Subscriber+ CSV Download
Published
2026-03-12
Title
MetForm Pro <= 3.9.1 - Missing Authorization
Published
2025-08-26
Title
All Bootstrap Blocks < 1.3.29 - Missing Authorization
Published
2024-06-04
Title
ProfileGrid < 5.8.7 - Missing Authorization
Published
2025-10-15
Title
Felan Framework < 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Activation/Deactivation via process_plugin_actions