WordPress Plugin Vulnerabilities

Landing Page Cat < 1.7.5 - Missing Authorization

Description

The Landing Page Cat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the custom post type added via the plugin in versions up to, and including, 1.7.4. This makes it possible for authenticated attackers, with contributor-level access and above, to edit and modify landing pages.

Affects Plugins

Plugin icon
landing-page-cat
Fixed in 1.7.5

References

CVE
CVE-2024-49686
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e3c5380f-2008-4dda-b0f9-d221a01ad1f0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
e28ec058-7d94-471e-9b50-11a549e5b73d

Timeline

Publicly Published
2024-10-21 (about 1 year ago)
Added
2024-10-30 (about 1 year ago)
Last Updated
2024-10-30 (about 1 year ago)

Other

Published
Title
Published
2024-04-10
Title
WP Accessibility Helper (WAH) < 0.6.2.6 - Missing Authorization
Published
2025-03-31
Title
ContentMX Content Publisher < 1.0.7 - Missing Authorization
Published
2024-07-19
Title
WooCommerce - Social Login < 2.7.4 - Missing Authorization to Unauthenticated Privilege Escalation
Published
2022-05-02
Title
Breeze < 2.0.3 - Subscriber+ Arbitrary Settings Update to Stored XSS
Published
2024-07-05
Title
Spectra < 2.13.8 - Missing Authorization via generate_ai_content