Boostify Header Footer Builder for Elementor < 1.3.6 – Missing Authorization to Page/Post Creation | CVE 2024-4788 | Plugin Vulnerabilities

Description

The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content.

Affects Plugins

boostify-header-footer-builder

Fixed in 1.3.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1090acfc-5b0c-478a-ac71-db54fdaefdf5

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

daf34fb2-1105-4cdf-a098-9e06794faa14

Timeline

Publicly Published

2024-06-05 (about 1 year ago)

Added

2024-06-05 (about 1 year ago)

Last Updated

2024-07-03 (about 1 year ago)

Other

Published

Title

Published

2026-01-31

Title

Order Tracking <= 3.4.4 - Missing Authorization

Published

2024-05-17

Title

Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation

Published

2025-01-16

Title

Debug Tool <= 2.2 - Missing Authorization

Published

2026-02-17

Title

Academy LMS < 3.5.4 - Missing Authorization

Published

2024-08-19

Title

GiveWP – Donation Plugin and Fundraising Platform < 3.14.2 - Missing Authorization to Authenticated (Subscriber+) Limited File Deletion