WordPress Plugin Vulnerabilities

WordPress Header Builder Plugin – Pearl < 1.3.8 - Missing Authorization to Unauthenticated Arbitrary Site Options Deletion

Description

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stm_hb_delete() function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to delete arbitrary options that can be used to perform a denial of service attack on a site.

Affects Plugins

Plugin icon
pearl-header-builder
Fixed in 1.3.8

References

CVE
CVE-2024-5468
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2e770e0-1a39-4946-838b-4fd1f1dea1c8

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
a8d62c41-6b44-4b15-86e0-c2ac5a88e483

Timeline

Publicly Published
2024-06-11 (about 1 year ago)
Added
2024-06-11 (about 1 year ago)
Last Updated
2024-06-12 (about 1 year ago)

Other

Published
Title
Published
2026-01-08
Title
Felan Framework <= 1.1.3 - Missing Authorization
Published
2023-10-12
Title
Poll Maker < 4.7.2 - Missing Authorization
Published
2026-02-18
Title
Display Eventbrite Events < 6.5.7 - Missing Authorization
Published
2025-01-08
Title
Bitly's WordPress Plugin < 2.7.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2025-04-02
Title
WP Video Playlist <= 1.1.2 - Missing Authorization to Unauthenticated Settings Update