WordPress Plugin Vulnerabilities

Maintenance & Coming Soon Redirect Animation < 2.3.0 - Missing Authorization to Settings Update

Description

The Maintenance & Coming Soon Redirect Animation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wploti_add_whitelisted_roles_option', 'wploti_remove_whitelisted_roles_option', 'wploti_add_whitelisted_users_option', 'wploti_remove_whitelisted_users_option', and 'wploti_uploaded_animation_save_option' functions in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify certain plugin settings.

Affects Plugins

Plugin icon
maintenance-coming-soon-redirect-animation
Fixed in 2.3.0

References

CVE
CVE-2024-9503
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1e716cf9-198c-4a32-883d-3f90dd399aee

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
d67030cd-f66c-443c-b428-985a6036877f

Timeline

Publicly Published
2024-12-19 (about 1 year ago)
Added
2024-12-19 (about 1 year ago)
Last Updated
2025-03-12 (about 1 year ago)

Other

Published
Title
Published
2025-05-29
Title
Featured Image Plus < 1.6.6 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update
Published
2021-09-21
Title
WP Mega Menu < 1.4.1 - Subscriber+ Arbitrary Post Access
Published
2024-09-23
Title
BA Book Everything < 1.6.21 - Unauthenticated Arbitrary User Password Reset
Published
2020-09-05
Title
NextScripts: Social Networks Auto-Poster < 4.3.18 - Insufficient Privilege Validation
Published
2020-08-21
Title
Contact Form - Form builder by Kali Forms < 2.1.2 - Authenticated Plugin's Settings Change