WordPress Plugin Vulnerabilities

Simple Custom Post Order < 2.5.8 - Missing Authorization

Description

The Simple Custom Post Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_menu_order_tags() function in versions up to, and including, 2.5.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update order tags.

Affects Plugins

Plugin icon
simple-custom-post-order
Fixed in 2.5.8

References

CVE
CVE-2024-49321
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/dc8eea10-3c51-4147-a7f6-d73553158f84

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
c5aa8d34-6319-4cb0-bc73-bce8557202bb

Timeline

Publicly Published
2024-10-15 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2024-10-18 (about 1 year ago)

Other

Published
Title
Published
2025-05-22
Title
Booking and Rental Manager < 2.3.9 - Missing Authorization
Published
2025-09-09
Title
WP Import – Ultimate CSV XML Importer for WordPress < 7.28 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure
Published
2025-05-16
Title
AnyWhere Elementor Pro <= 2.29 - Missing Authorization
Published
2025-11-09
Title
WooCommerce Recover Abandoned Cart < 24.7.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2024-08-28
Title
Fota WP < 1.4.2 - Missing Authorization via fotawp_install_and_activate_plugins()