CTX Feed < 6.5.7 – Shop Manager+ Arbitrary Options Update | CVE 2024-38775 | Plugin Vulnerabilities

Description

The CTX Feed – WooCommerce Product Feed Manager Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the create_item() function in all versions up to, and including, 6.5.6. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

webappick-product-feed-for-woocommerce

Fixed in 6.5.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f0d05295-182c-4c4a-bb0d-15831fe7e691

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

9d9eb15b-a993-4275-8906-b08ba4fcfce0

Timeline

Publicly Published

2024-07-19 (about 1 year ago)

Added

2024-07-25 (about 1 year ago)

Last Updated

2024-07-25 (about 1 year ago)

Other

Published

Title

Published

2025-01-23

Title

Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates < 1.0.15 - Missing Authorization to Spexo Theme Install

Published

2026-01-05

Title

GetGenie < 4.3.1 - Missing Authorization

Published

2024-04-22

Title

CookieHub < 1.1.1 - Missing Authorization

Published

2025-12-29

Title

BizPrint < 4.7.1 - Missing Authorization

Published

2024-11-18

Title

Jobify - Job Board WordPress Theme <= 4.2.3 - Missing Authorization