WordPress Plugin Vulnerabilities

Meks Video Importer < 1.0.13 - Missing Authorization to Authenticated (Subscriber+) API Keys Modification

Description

The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajax_save_settings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API keys.
CVE-2024-38733 may be a duplicate of this issue.

Affects Plugins

Plugin icon
meks-video-importer
Fixed in 1.0.13

References

CVE
CVE-2024-6599
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/eaf9cc48-1ba6-4e9b-9f49-54f7747c26e0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
b6893b8e-75b8-4ebd-88d7-dff4a7239ad5

Timeline

Publicly Published
2024-07-17 (about 1 year ago)
Added
2024-07-17 (about 1 year ago)
Last Updated
2024-07-31 (about 1 year ago)

Other

Published
Title
Published
2025-05-19
Title
Legal Pages < 1.4.6 - Missing Authorization
Published
2023-12-01
Title
Social Pug < 1.30.1 - Missing Authorization via multiple admin_init actions
Published
2025-12-02
Title
WPS Bidouille < 1.33.2 - Missing Authorization
Published
2024-03-15
Title
Word Replacer Pro <= 1.0 - Missing Authorization to Unauthenticated Arbitrary Content Update
Published
2025-10-16
Title
HomeLancer < 1.0.2 - Missing Authorization