WordPress Plugin Vulnerabilities

New User Approve < 2.6.4 - Missing Authorization

Description

The New User Approve plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the _admin_notices_hook function in versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with contributor-level access and above, to read notices intended for admins.

Affects Plugins

Plugin icon
new-user-approve
Fixed in 2.6.4

References

CVE
CVE-2024-54323
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6c00e07a-7a0b-4cfa-8f6b-b03e3b485f07

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
SavPhill (Savphill)
Verified
No
WPVDB ID
997c78ea-0e9b-45e4-9b3a-166a424b4a7d

Timeline

Publicly Published
2024-12-11 (about 1 year ago)
Added
2024-12-19 (about 1 year ago)
Last Updated
2024-12-19 (about 1 year ago)

Other

Published
Title
Published
2024-06-28
Title
ArtPlacer Widget < 2.21.2 - Subscriber+ Arbitrary Widget Deletion
Published
2023-03-06
Title
Gallery Blocks with Lightbox < 3.0.8 - Subscriber+ Arbitrary Options Update
Published
2022-06-02
Title
HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion
Published
2024-05-03
Title
ShopLentor (formerly WooLentor) < 2.8.8 - Missing Authorization
Published
2023-11-28
Title
Button Generator < 2.3.9 - Unauthenticated Button Counter Reset