Page Builder Sandwich <= 5.1.0 – Missing Authorization to Authenticated(Subscriber+) Arbitrary Post Editing | CVE 2024-1285 | Plugin Vulnerabilities

Description

The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'gambit_builder_save_content' function in all versions up to, and including, 5.1.0. This makes it possible for authenticated attackers, with subscriber access and above, to insert arbitrary content into existing posts.

Affects Plugins

page-builder-sandwich

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/69d3d66c-5557-4fb4-8bd7-05d76d6b86ab

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

ad22c1fb-b531-4401-9b0f-a64daa949ee6

Timeline

Publicly Published

2024-03-04 (about 2 years ago)

Added

2024-03-04 (about 2 years ago)

Last Updated

2024-03-04 (about 2 years ago)

Other

Published

Title

Published

2022-02-21

Title

Hide Admin Bar Based on User Roles < 3.0.0 - Subscriber+ Settings Update

Published

2026-05-12

Title

Cost Calculator Builder < 4.0.2 - Unauthenticated Price Manipulation and Insecure Direct Object Reference

Published

2026-01-20

Title

Creator LMS – The LMS for Creators, Coaches, and Trainers < 1.1.13 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update

Published

2026-01-19

Title

WP Forms Signature Contract Add-On < 1.8.3 - Missing Authorization to Authenticated (Subscriber+) Notice Dimissal

Published

2025-03-11

Title

SecuPress Free < 2.3 - Missing Authorization