WordPress Plugin Vulnerabilities

Print Labels with Barcodes < 3.4.7 - Subscriber+ Settings/Profiles Update, Templates/Barcodes Access/Creation/Edition/Deletion

Description

The plugin is vulnerable to unauthorized access of data, modification of data, and loss of data due to an improper capability check on 42 separate AJAX functions. This makes it possible for authenticated attackers, with subscriber access and above, to fully control the plugin which includes the ability to modify plugin settings and profiles, and create, edit, retrieve, and delete templates and barcodes.

Affects Plugins

Plugin icon
a4-barcode-generator
Fixed in 3.4.7

References

CVE
CVE-2024-1677
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6e15d285-aa1d-461d-bdc2-642e7ccd789b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
a957ca3a-1283-46e8-ac25-6e8b389844a6

Timeline

Publicly Published
2024-04-29 (about 1 year ago)
Added
2024-04-29 (about 1 year ago)
Last Updated
2024-05-30 (about 1 year ago)

Other

Published
Title
Published
2025-11-03
Title
Crypto Payment Gateway with Payeer for WooCommerce <= 1.0.3 - Unauthenticated Payment Bypass
Published
2024-04-22
Title
Vision Interactive < 1.7.2 - Missing Authorization
Published
2025-05-16
Title
Pinterest Automatic Pin <= 4.19.0 - Missing Authorization
Published
2024-04-05
Title
Wholesale For WooCommerce < 2.3.1 - Unauthenticated Arbitrary Post Deletion
Published
2025-12-29
Title
Strong Testimonials < 3.2.19 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update