WordPress Plugin Vulnerabilities

Radio Player < 2.0.74 - Missing Authorization via get_players

Description

The Radio Player plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_players' function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to retrieve a list of radio players.

Affects Plugins

Plugin icon
radio-player
Fixed in 2.0.74

References

CVE
CVE-2024-2906
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/081e76e4-60ec-496d-979b-d128771af475

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Elliot
Verified
No
WPVDB ID
c76ca884-1fe9-4566-9ec7-3f5dedfd869a

Timeline

Publicly Published
2024-03-26 (about 2 years ago)
Added
2024-03-27 (about 2 years ago)
Last Updated
2024-03-27 (about 2 years ago)

Other

Published
Title
Published
2025-02-17
Title
Scratch & Win – Giveaways and Contests < 2.9.0 - Missing Authorization to Unauthenticated Coupon Creation
Published
2026-01-27
Title
Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification
Published
2025-12-02
Title
Tiktok Feed < 1.0.24 - Missing Authorization
Published
2026-02-09
Title
JobScout < 1.1.8 - Missing Authorization
Published
2026-01-22
Title
Hotel Listing <= 1.4.2 - Missing Authorization