WordPress Plugin Vulnerabilities

Booster Extension <= 1.2.0 - Basic Information Exposure via booster_extension_authorbox_shortcode_display

Description

The Booster Extension plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.0 via the 'booster_extension_authorbox_shortcode_display' function. This makes it possible for unauthenticated attackers to extract sensitive data including user emails

Affects Plugins

Plugin icon
booster-extension
No known fix

References

CVE
CVE-2024-2109
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/89458095-2efe-4162-961a-7dc80852d312

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
8a6b73c0-0e7f-4d22-96ea-ff73b36cc194

Timeline

Publicly Published
2024-04-29 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2025-09-06
Title
Travel Booking WordPress Theme < 3.2.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2025-05-12
Title
TheGem < 5.10.3.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Theme Options Update
Published
2025-03-31
Title
Auto Post After Image Upload <= 1.6 - Missing Authorization
Published
2024-08-12
Title
Leopard - WordPress offload media <= 2.0.36 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-09-22
Title
CoDesigner <= 4.26 - Missing Authorization