WordPress Plugin Vulnerabilities

WOLF – WordPress Posts Bulk Editor and Manager Professional < 1.0.8.2 - Missing Authorization

Description

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions in all versions up to, and including, 1.0.8.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create, delete or modify taxonomy terms.

Affects Plugins

Plugin icon
bulk-editor
Fixed in 1.0.8.2

References

CVE
CVE-2024-0791
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/13c66a8f-b35f-4943-8880-0799b0d150f7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
def70a9f-cd22-425e-9f42-4bf0054adba0

Timeline

Publicly Published
2024-01-30 (about 2 years ago)
Added
2024-01-30 (about 2 years ago)
Last Updated
2024-01-30 (about 2 years ago)

Other

Published
Title
Published
2022-07-22
Title
WP Libre Form 2-2.0.8 - Unauthenticated Arbitrary Submissions Listing & Deletion
Published
2024-06-03
Title
WP Translate <= 5.3.0 - Missing Authorization
Published
2025-04-04
Title
Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
Published
2024-12-12
Title
PixProof <= 2.0.1 - Missing Authorization
Published
2021-12-08
Title
PublishPress Capabilities < 2.3.1 - Unauthenticated Arbitrary Options Update to Blog Compromise