SportsPress – Sports Club & League Manager < 2.7.21 – Missing Authorization to Notice Dismissal | CVE 2024-34824 | Plugin Vulnerabilities

Description

The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_notices() function in versions up to, and including, 2.7.20. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices.

Affects Plugins

Fixed in 2.7.21

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/77930416-d79b-42bc-8a84-f7f140679a8a

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dhabaleshwar Das

Verified

No

WPVDB ID

a2465116-ee3d-48fa-861a-013c147efa6c

Timeline

Publicly Published

2024-05-09 (about 2 years ago)

Added

2024-05-15 (about 2 years ago)

Last Updated

2024-05-15 (about 2 years ago)

Other

Published

Title

Published

2025-12-31

Title

Accordion Slider Gallery <= 2.7 - Missing Authorization

Published

2023-12-06

Title

System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_db_specs)

Published

2023-11-23

Title

SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post Disclosure

Published

2025-03-27

Title

Traveler < 3.2.1 - Missing Authorization

Published

2026-02-19

Title

WP-Lister Lite for eBay < 3.8.6 - Missing Authorization