Admin Notices Manager < 1.5.0 – Missing Authorization to Authenticated (Subscriber+) User Email Retrieval | CVE 2024-1717 | Plugin Vulnerabilities

Description

The Admin Notices Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_ajax_call() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve a list of registered user emails.

Affects Plugins

admin-notices-manager

Fixed in 1.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0849d86b-5cf1-4346-a9e9-a54768837969

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

d6750c0c-e478-445d-8c22-3e01da3f59ab

Timeline

Publicly Published

2024-06-03 (about 1 year ago)

Added

2024-06-03 (about 1 year ago)

Last Updated

2024-06-17 (about 1 year ago)

Other

Published

Title

Published

2023-09-12

Title

BAN Users <= 1.5.3 - Subscriber+ Settings Update & Privilege Escalation via Missing Authorization

Published

2025-11-03

Title

Crypto Payment Gateway with Payeer for WooCommerce <= 1.0.3 - Unauthenticated Payment Bypass

Published

2025-08-18

Title

King Addons for Elementor <= 51.1.58 - Missing Authorization

Published

2025-01-24

Title

WP Duplicate – WordPress Migration Plugin < 1.1.7 - Missing Authorization

Published

2025-03-13

Title

WP Ghost < 5.4.02 - Unauthenticated Limited File Read