CubeWP – All-in-One Dynamic Content Framework < 1.1.16 – Missing Authorization | CVE 2024-48039 | Plugin Vulnerabilities

Description

The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several funcstions like 'cwp_user_fields_data_callback ' and 'cwpform_save_shortcode' in versions up to, and including, 1.1.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to update various plugin settings and export data.

Affects Plugins

cubewp-framework

Fixed in 1.1.16

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/307e3e47-fac8-400d-9b90-b75b39ee14c3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

e6e04a6d-7df0-4b86-bcf7-39a488c2081a

Timeline

Publicly Published

2024-10-09 (about 1 year ago)

Added

2024-10-16 (about 1 year ago)

Last Updated

2024-10-16 (about 1 year ago)

Other

Published

Title

Published

2026-05-13

Title

Database Backup for WordPress < 2.5.3 - Missing Authorization to Unauthenticated Database Export

Published

2025-11-12

Title

Survey Maker < 5.1.9.5 - Missing Authorization to Unauthenticated Limited Option Update

Published

2026-02-03

Title

Latest Post Shortcode < 14.2.2 - Missing Authorization

Published

2024-02-07

Title

ImageRecycle pdf & image compression < 3.1.14 - Missing Authorization to Settings Update in stopOptimizeAll

Published

2024-02-13

Title

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.11.2 - Missing Authorization via pms_stripe_connect_handle_authorization_return