WordPress Plugin Vulnerabilities

Multiple Page Generator Plugin – MPG < 4.0.2 - Missing Authorization

Description

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functions in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those functions intended for admin use resulting in subscribers being able to upload csv files and view the contents of MPG projects.

Affects Plugins

Plugin icon
multiple-pages-generator-by-porthas
Fixed in 4.0.2

References

CVE
CVE-2024-7424
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/860848c1-dd67-4baf-a571-bc866c5f12f8

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
da12ebcb-69e0-4696-93a0-c1c73ed6776a

Timeline

Publicly Published
2024-10-31 (about 1 year ago)
Added
2024-10-31 (about 1 year ago)
Last Updated
2024-11-01 (about 1 year ago)

Other

Published
Title
Published
2021-10-20
Title
Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection
Published
2024-03-25
Title
WooCommerce < 8.6 - Contributor+ Private/Draft Products Access
Published
2021-03-16
Title
wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover
Published
2021-10-05
Title
JobSearch WP Job Board < 1.8.2 - Subscriber+ Add/Update Schedule Calls
Published
2024-02-21
Title
Event Tickets and Registration < 5.8.2 - Missing Authorization