WordPress Plugin Vulnerabilities

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce < 2.11.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication

Description

The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized post publication due to a missing capability check on the activateCampaign() function in all versions up to, and including, 2.10.0. This makes it possible for authenticated attackers, with contributor-level access and above, to publish arbitrary posts like ones they have submitted for review, or a site administrator has in draft.

Affects Plugins

Plugin icon
hurrytimer
Fixed in 2.11.0

References

CVE
CVE-2024-8667
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7a8eda88-c45a-4867-b427-d63b586e6de3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
9acd8794-563f-401b-9743-7086fe4d2c81

Timeline

Publicly Published
2024-10-23 (about 1 year ago)
Added
2024-10-23 (about 1 year ago)
Last Updated
2024-10-24 (about 1 year ago)

Other

Published
Title
Published
2026-01-06
Title
Unify < 3.4.10 - Missing Authorization to Unauthenticated Option Deletion via 'unify_plugin_downgrade' Parameter
Published
2025-05-16
Title
Sharespine Woocommerce Connector < 4.8.56 - Missing Authorization
Published
2025-04-04
Title
eaSYNC < 1.3.21 - Missing Authorization
Published
2024-02-26
Title
Thank You Page Customizer for WooCommerce – Increase Your Sales < 1.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2022-08-22
Title
WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update