WordPress Plugin Vulnerabilities

WP Debugging < 2.11.0 - Unauthenticated Plugin's Settings Update

Description

The plugin has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users.

Proof of Concept

Affects Plugins

Plugin icon
wp-debugging
Fixed in 2.11.0

References

CVE
CVE-2021-24779

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
8d0e65ee-fdd1-4fd6-9a27-01664c703d90

Timeline

Publicly Published
2021-09-27 (about 4 years ago)
Added
2021-09-27 (about 4 years ago)
Last Updated
2022-04-14 (about 3 years ago)

Other

Published
Title
Published
2024-07-15
Title
WP RSS Aggregator < 4.23.12 - Missing Authorization to Authenticated (Subscriber+) Feed State Update
Published
2024-06-21
Title
Hercules Core < 6.7 - Missing Authorization to Settings Update
Published
2025-07-21
Title
The E-Commerce ERP <= 2.1.1.3 - Missing Authorization
Published
2023-04-05
Title
WCFM Marketplace < 3.4.12 - Subscriber+ Unauthorised AJAX Calls
Published
2021-07-20
Title
WP SEO TDK <= 2.1.2 - Unauthenticated Setting Update to Stored XSS