MailerLite – Signup forms (official) < 1.7.7 – Missing Authorization | CVE 2024-2797 | Plugin Vulnerabilities

Description

The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to unauthorized plugin setting changes due to a missing capability check on the toggleRolesAndPermissions and editAllowedRolesAndPermissions functions in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to allow lower level users to modify forms.

Affects Plugins

official-mailerlite-sign-up-forms

Fixed in 1.7.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a03b4c19-85fa-47ad-b9ae-b466f8e5ca96

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

936d868f-d50d-4629-a9f5-50b34fe41588

Timeline

Publicly Published

2024-04-29 (about 2 years ago)

Added

2024-04-29 (about 2 years ago)

Last Updated

2024-04-29 (about 2 years ago)

Other

Published

Title

Published

2025-11-15

Title

Contact Form Email < 1.3.59 - Missing Authorization

Published

2025-08-22

Title

Church Admin < 5.0.27 - Missing Authorization

Published

2026-04-10

Title

Tutor LMS < 3.9.8 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment

Published

2024-09-25

Title

Ads by WPQuads – Adsense Ads, Banner Ads, Popup Ads < 2.0.85 - Missing Authorization

Published

2025-07-07

Title

Guest Support – Complete customer support ticket system for WordPress < 1.2.3 - Missing Authorization to Unauthenticated Ticket Deletion