WordPress Plugin Vulnerabilities

Starbox < 3.4.8 - Subscriber+ Plugin Preferences / User Settings Access via IDOR

Description

The plugin is vulnerable to Insecure Direct Object Reference via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.

Affects Plugins

Plugin icon
starbox
Fixed in 3.4.8

References

CVE
CVE-2024-0366
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Sh
Verified
No
WPVDB ID
b9009605-5499-489e-ace5-547f0d88d1cf

Timeline

Publicly Published
2024-01-30 (about 2 years ago)
Added
2024-01-31 (about 2 years ago)
Last Updated
2024-01-31 (about 2 years ago)

Other

Published
Title
Published
2020-08-21
Title
Contact Form - Form builder by Kali Forms < 2.1.2 - Unauthenticated Arbitrary Post Deletion
Published
2021-05-08
Title
ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 - Unauthorised AJAX call
Published
2023-10-24
Title
Draw Attention < 2.0.16 - Improper Access Control via register_cpt
Published
2021-10-05
Title
JobSearch WP Job Board < 1.8.2 - Unauthenticated Plugin's Settings Update
Published
2021-03-16
Title
wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion