Email Log < 2.4.9 – Unauthenticated Hook Injection | CVE 2024-0867 | Plugin Vulnerabilities

Description

The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement.

Affects Plugins

Fixed in 2.4.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/fd15268f-7e06-4e0d-baaf-f27348af61ce

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Sean Murphy

Verified

No

WPVDB ID

94c24851-9f25-4168-9689-9f9a5d09e9cc

Timeline

Publicly Published

2024-05-23 (about 2 years ago)

Added

2024-05-23 (about 2 years ago)

Last Updated

2024-05-24 (about 2 years ago)

Other

Published

Title

Published

2025-09-05

Title

Job Board Manager <= 2.1.61 - Authenticated (Job Poster+) Arbitrary Shortcode Execution

Published

2023-09-26

Title

Ni Purchase Order(PO) For WooCommerce < 1.2.2 - Admin+ File Upload to Remote Code Execution

Published

2026-03-23

Title

User Registration & Membership < 5.1.3 - Unauthenticated Remote Code Execution

Published

2022-05-18

Title

The School Management < 9.9.7 - Unauthenticated RCE via REST api

Published

2026-04-21

Title

FunnelFormsPro <= 3.8.1 - Authenticated (Subscriber+) Remote Code Execution