WordPress Plugin Vulnerabilities

Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Description

The Minterpress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on a function in all versions up to, and including, 1.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

Plugin icon
minterpress
No known fix

References

CVE
CVE-2024-54379
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c2151c87-0df3-477a-a1b2-7d2e5bc44eb5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
c9bc4478-c469-4b0f-a054-1ed4f0eb3b03

Timeline

Publicly Published
2024-12-11 (about 1 year ago)
Added
2024-12-19 (about 1 year ago)
Last Updated
2024-12-19 (about 1 year ago)

Other

Published
Title
Published
2025-10-30
Title
FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) < 1.1.23.1 - Missing Authorization to Authenticated (Subscriber+) Sync Rule Creation
Published
2025-07-19
Title
Breeze Checkout <= 1.4.0 - Missing Authorization
Published
2025-12-06
Title
Gravitec.net – Web Push Notifications < 2.9.18 - Missing Authorization
Published
2022-03-30
Title
Advanced Custom Fields < 5.12.1 - Contributor+ Database Information Access
Published
2025-01-16
Title
WAH Forms <= 1.0 - Missing Authorization