WordPress Plugin Vulnerabilities

WP Chat App < 3.6.9 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation

Description

The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the filebird plugin.

Affects Plugins

Plugin icon
wp-whatsapp
Fixed in 3.6.9

References

CVE
CVE-2024-10533
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/26f73bfe-f41a-4045-9d72-21181a9a704f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
c0bed086-81ac-42b6-93f0-e7431529ecdc

Timeline

Publicly Published
2024-11-15 (about 1 year ago)
Added
2024-11-15 (about 1 year ago)
Last Updated
2024-11-16 (about 1 year ago)

Other

Published
Title
Published
2024-03-11
Title
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Missing Authorization on publish_lp()
Published
2024-06-27
Title
Easy Image Collage < 1.13.6 - Missing Authorization to Authenticated (Contributor+) Data Clearance
Published
2025-12-15
Title
Watu Quiz < 3.4.5.1 - Missing Authorization
Published
2025-02-14
Title
Distance Based Shipping Calculator < 2.0.23 - Missing Authorization to Unauthenticated Settings Update
Published
2026-01-07
Title
ShopMagic < 4.7.3 - Missing Authorization