WordPress Plugin Vulnerabilities

JetBackup < 1.4.1 - Subscriber+ Arbitrary Backup Location Update

Description

The plugin does not have authorisation when updating backup locations, allowing any authenticated users, such as subscriber to change it

Affects Plugins

Plugin icon
backup
Fixed in 1.4.1

References

CVE
CVE-2020-36667

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
d251347b-9e5f-4468-862a-a59bc9fd40f0

Timeline

Publicly Published
2020-07-30 (about 5 years ago)
Added
2023-03-07 (about 3 years ago)
Last Updated
2023-03-07 (about 3 years ago)

Other

Published
Title
Published
2023-05-23
Title
Go Pricing - WordPress Responsive Pricing Tables < 3.4 - Incorrect Authorization leading to Arbitrary File Upload
Published
2024-10-14
Title
Jetpack < 13.9.1 - Subscriber+ Arbitrary Feedback Access
Published
2024-01-12
Title
Spiffy Calendar < 4.9.9 - Broken Access Control
Published
2024-07-23
Title
WooCommerce - PDF Vouchers < 4.9.4 - Authentication Bypass to Voucher Vendor
Published
2024-03-01
Title
GenerateBlocks < 1.8.3 - Contributor+ Arbitrary Draft/Private Post Access