WordPress Plugin Vulnerabilities
GamiPress < 6.8.9 - Broken Access Control
Description
The plugin's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical plugin configurations.
Proof of Concept
- Inferred parameter values Administrator > manage_options Editor > delete_others_posts Author > publish_posts Contributor > edit_posts Subscriber > read
Affects Plugins
References
CVE
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
Miscellaneous
Submitter
cyc707
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-04-08 (about 1 months ago)
Added
2024-04-08 (about 1 months ago)
Last Updated
2024-04-08 (about 1 months ago)