WordPress Plugin Vulnerabilities

WP Force SSL & HTTPS SSL Redirect < 1.67 - Missing Authorization to Settings Update

Description

The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings.

Affects Plugins

Plugin icon
wp-force-ssl
Fixed in 1.67

References

CVE
CVE-2024-5770
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2081e4a-c6b7-4730-be59-bc728b90ecaa

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.2 (medium)

Miscellaneous

Original Researcher
Foxyyy
Verified
No
WPVDB ID
89c9be5f-9880-4318-aa93-8ddc347e4b67

Timeline

Publicly Published
2024-06-07 (about 1 year ago)
Added
2024-06-08 (about 1 year ago)
Last Updated
2024-06-08 (about 1 year ago)

Other

Published
Title
Published
2025-12-18
Title
HomeFix Elementor Portfolio <= 1.0.1 - Missing Authorization
Published
2025-04-04
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.9.5 - Missing Authorization
Published
2024-01-31
Title
PropertyHive < 2.0.7 - Missing Authorization via activate_pro_feature
Published
2025-11-06
Title
ListingPro <= 2.9.9 - Missing Authorization
Published
2025-07-03
Title
WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Privilege Escalation via wp_ajax_hrm_insert_employee AJAX Action