WordPress Plugin Vulnerabilities

Podlove Podcast Publisher < 4.0.12 - Missing Authorization to Unauthenticated Data Export

Description

The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to export the plugin's tracking data and podcast information.

Affects Plugins

Plugin icon
podlove-podcasting-plugin-for-wordpress
Fixed in 4.0.12

References

CVE
CVE-2024-1109
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7b25b66-e9d1-448d-8367-cce4c0dec635

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
d718b574-9cef-463e-9b23-a95eb0af3a67

Timeline

Publicly Published
2024-02-06 (about 2 years ago)
Added
2024-02-06 (about 2 years ago)
Last Updated
2024-02-06 (about 2 years ago)

Other

Published
Title
Published
2024-04-22
Title
ARForms < 6.4.1 - Missing Authorization to Arbitrary File Deletion
Published
2025-03-11
Title
WP Performance Pack < 2.5.4 - Missing Authorization
Published
2025-07-15
Title
Ultimate WP Mail 1.0.17 - 1.3.6 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function
Published
2025-04-01
Title
Clockinator Lite <= 1.0.7 - Missing Authorization
Published
2025-11-12
Title
Survey Maker < 5.1.9.5 - Missing Authorization to Unauthenticated Limited Option Update