WordPress Plugin Vulnerabilities

Mark New Posts < 7.6 - Missing Authorization via save_options

Description

The Mark New Posts plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options() function in versions up to, and including, 7.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to change plugin settings.

Affects Plugins

Plugin icon
mark-new-posts
Fixed in 7.6

References

CVE
CVE-2024-54311
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/43fd1949-2682-469b-a129-223ebecc312e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jingle Bells
Verified
No
WPVDB ID
d3eb5fc1-87c9-41f7-9019-b071096013bd

Timeline

Publicly Published
2024-12-11 (about 1 year ago)
Added
2024-12-19 (about 1 year ago)
Last Updated
2024-12-19 (about 1 year ago)

Other

Published
Title
Published
2025-09-22
Title
Skimlinks Affiliate Marketing Tool < 1.3.1 - Missing Authorization
Published
2025-06-16
Title
WP Dummy Content Generator < 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion
Published
2025-01-15
Title
Widget Options < 4.0.9 - Missing Authorization to Notice Dismissal
Published
2025-12-15
Title
TrueBooker < 1.1.1 - Missing Authorization
Published
2026-02-06
Title
The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification