WordPress Plugin Vulnerabilities

Defender Security < 4.7.3 - Missing Authorization

Description

The Defender Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clear_config_transient() function in versions up to, and including, 4.7.2. This makes it possible for unauthenticated attackers to clear config data.

Affects Plugins

Plugin icon
defender-security
Fixed in 4.7.3

References

CVE
CVE-2024-37444
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/26963b32-db2c-430b-99e5-65a2cc7d478d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
b067a660-7b68-4a15-976b-5fc68c811cfc

Timeline

Publicly Published
2024-06-28 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2026-01-07
Title
Tutor LMS < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details
Published
2023-02-14
Title
WP VR < 8.2.8 - Subscriber+ Settings Update
Published
2025-01-31
Title
ELEX WordPress HelpDesk & Customer Ticketing System < 3.2.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Published
2025-06-19
Title
WANotifier <= 2.7.12 - Missing Authorization
Published
2024-06-20
Title
User Rights Access Manager <= 1.1.2 - Missing Authorization