Simple Local Avatars < 2.8.0 – Missing Authorization to Authenticated (Subscriber+) User Cache Clearing | CVE 2024-10786 | Plugin Vulnerabilities

Description

The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches.

Affects Plugins

simple-local-avatars

Fixed in 2.8.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e2619d50-e295-4e13-91d4-f998b8aa5be4

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

cc4093a3-442b-49d0-932f-4dcc984107d7

Timeline

Publicly Published

2024-11-15 (about 1 year ago)

Added

2024-11-15 (about 1 year ago)

Last Updated

2024-11-16 (about 1 year ago)

Other

Published

Title

Published

2025-05-01

Title

Flynax Bridge < 2.2.1 - Unauthenticated Arbitrary User Deletion

Published

2024-01-03

Title

WooCommerce Conversion Tracking < 2.0.12 - Subscriber+ happy-elementor-addons Installation & Activation

Published

2023-10-27

Title

Post Meta Data Manager < 1.2.1 - Subscriber+ Privilege Escalation

Published

2024-02-09

Title

Awesome Support – WordPress HelpDesk & Support Plugin < 6.1.8 - Missing Authorization via editor_html()

Published

2024-02-06

Title

Podlove Podcast Publisher < 4.0.12 - Missing Authorization to Unauthenticated Data Export