WordPress Plugin Vulnerabilities

PropertyHive < 2.0.7 - Missing Authorization via activate_pro_feature

Description

The PropertyHive plugin for WordPress is vulnerable to unauthorized access of premium features due to a missing capability check on the activate_pro_feature() function in versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to activate pro features.

Affects Plugins

Plugin icon
propertyhive
Fixed in 2.0.7

References

CVE
CVE-2024-24718
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/84d55f24-c4de-4574-b0cc-cc1b4935d281

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Yudistira Arya
Verified
No
WPVDB ID
ab89d74c-f65c-4d69-ae3f-7943c1524e43

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-02-05 (about 2 years ago)

Other

Published
Title
Published
2026-01-06
Title
The Events Calendar Countdown Addon < 1.4.16 - Missing Authorization
Published
2023-12-08
Title
Manage Notification E-mails < 1.8.6 - Missing Authorization
Published
2026-03-23
Title
Five Star Restaurant Reservations – WordPress Booking Plugin < 2.7.10 - Missing Authorization
Published
2025-03-31
Title
Vitepos < 3.1.5 - Missing Authorization
Published
2025-03-14
Title
WC Affiliate – A Complete WooCommerce Affiliate Plugin < 2.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all