Molongui < 4.7.8 – Authenticated (Author+) Insecure Direct Object Reference | CVE 2024-30507 | Plugin Vulnerabilities

Description

The Author Box, Guest Author and Co-Authors for Your Posts – Molongui plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.7.7 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to perform an unauthorized action.

Affects Plugins

molongui-authorship

Fixed in 4.7.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/62aa0cc4-ef8e-4727-ac07-3481c0464b05

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

CatFather

Verified

No

WPVDB ID

8cb1d596-8cdc-49f7-8c05-4ebb4efda9b2

Timeline

Publicly Published

2024-03-28 (about 2 years ago)

Added

2024-04-04 (about 2 years ago)

Last Updated

2024-04-04 (about 2 years ago)

Other

Published

Title

Published

2026-01-02

Title

Overton <= 1.3 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2023-08-30

Title

Metform Elementor Contact Form Builder < 3.3.2 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

Published

2024-11-21

Title

Easy Twitter Feed – Twitter feeds plugin for WP <= 1.2.6 - Authenticated (Contributor+) Post Exposure

Published

2025-08-22

Title

Accessibility Checker by Equalize Digital < 1.30.1 - Authenticated (Contributor+) Insecure Direct Object Reference

Published

2023-09-12

Title

wpDiscuz < 7.6.4 - Unauthenticated Data Modification via IDOR