WordPress Plugin Vulnerabilities

Modula < 2.7.5 - Incomplete Authorization via 'save_image' and 'save_images'

Description

The Modula plugin for WordPress is vulnerable to unauthorized modification of data due to an incomplete capability check on the 'save_image' and 'save_images' functions in versions up to, and including, 2.7.4. This makes it possible for authenticated attackers with the 'edit_others_posts' but not the 'edit_posts' capability to save images. Note that this would only be considered a vulnerability on extremely unusual configurations.

Affects Plugins

Plugin icon
modula-best-grid-gallery
Fixed in 2.7.5

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f029bd86-d979-45d1-97fe-75c43fb71148

Miscellaneous

Verified
No
WPVDB ID
a32a005e-1453-4a1a-885c-8123a341b7e7

Timeline

Publicly Published
2023-09-10 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-11-24 (about 2 years ago)

Other

Published
Title
Published
2023-05-30
Title
Blog-in-Blog <= 1.1.1 - Editor+ Stored Cross-Site Scripting via Shortcode
Published
2023-09-12
Title
MultiVendorX < 4.0.26 - Improper Authorization on REST Routes via 'save_settings_permission'
Published
2023-04-05
Title
Fancy Product Designer < 4.7.0 - Subscriber+ Unauthorized Access and Modification
Published
2023-05-27
Title
WP EasyCart < 5.4.9 - Product Deletion via CSRF
Published
2023-05-30
Title
Blog-in-Blog <= 1.1.1 - Editor+ Local File Inclusion via Shortcode