WordPress Plugin Vulnerabilities

Easy Property Listings < 3.5.4 - Missing Authorization via epl_update_listing_coordinates()

Description

The Easy Property Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the epl_update_listing_coordinates function in versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to update listing co-ordinates.

Affects Plugins

Plugin icon
easy-property-listings
Fixed in 3.5.4

References

CVE
CVE-2024-32799
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6647856b-19f2-475a-8d45-d33c7b3a8f92

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
b211ea1a-d677-404b-8947-e2c41a9bfcae

Timeline

Publicly Published
2024-04-22 (about 2 years ago)
Added
2024-04-29 (about 2 years ago)
Last Updated
2024-04-29 (about 2 years ago)

Other

Published
Title
Published
2026-01-08
Title
Tutor LMS – eLearning and online course solution < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion
Published
2025-01-03
Title
Nexter Blocks < 4.0.8 - Missing Authorization
Published
2025-10-16
Title
HomeLancer < 1.0.2 - Missing Authorization
Published
2025-11-18
Title
Chat Help < 3.1.4 - Unauthenticated Sensitive Information Exposure
Published
2024-04-25
Title
ARForms Form Builder < 1.6.5 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion