WordPress Plugin Vulnerabilities

Multiple Page Generator Plugin – MPG < 3.4.1 - Missing Authorization via mpg_get_log_by_project_id

Description

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mpg_get_log_by_project_id' function in versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to view project logs.

Affects Plugins

Plugin icon
multiple-pages-generator-by-porthas
Fixed in 3.4.1

References

CVE
CVE-2024-30235
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fa1d2fac-6e66-46b8-aa0a-1f6b5746b18b

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
df8e9c11-9079-4494-b8b5-698185737b5a

Timeline

Publicly Published
2024-03-26 (about 2 years ago)
Added
2024-03-27 (about 2 years ago)
Last Updated
2024-03-27 (about 2 years ago)

Other

Published
Title
Published
2022-11-28
Title
Pie Register < 3.8.1.3 - Unauthenticated Arbitrary User Deletion
Published
2024-08-09
Title
Opal Membership <= 1.2.4 - Authenticated (Subscriber+) Information Disclosure
Published
2024-08-26
Title
LWS Affiliation < 2.3.5 - Missing Authorization
Published
2025-05-01
Title
Flynax Bridge < 2.2.1 - Unauthenticated Arbitrary User Deletion
Published
2024-04-15
Title
Customer Reviews for WooCommerce < 5.47.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending