WordPress Plugin Vulnerabilities

BEAR < 1.1.4.1 - Missing Authorization via Several Functions

Description

The BEAR plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in the /ext/history/history.php file in versions up to, and including, 1.1.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions.

Affects Plugins

Plugin icon
woo-bulk-editor
Fixed in 1.1.4.1

References

CVE
CVE-2024-24835
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/411b7889-c2c6-48cb-967d-091585705e17

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
a8d1f6ae-d85d-4b81-bcf0-43c32fce7b79

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-02-05 (about 2 years ago)

Other

Published
Title
Published
2026-01-08
Title
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories < 4.9.4 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation
Published
2025-08-01
Title
WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons < 1.7.1 - Missing Authorization to Unauthenticated Sticky Status Update
Published
2025-01-16
Title
Slides & Presentations <= 0.0.39 - Missing Authorization to Content Injection
Published
2025-02-03
Title
SocialV - Social Network and Community BuddyPress Theme < 2.0.16 - Missing Authorization to Arbitrary File Download
Published
2026-01-19
Title
SEO Booster <= 6.1.8 - Missing Authorization