WP Reset < 2.03 – Missing Authorization to License Key Modification | CVE 2024-4661 | Plugin Vulnerabilities

Description

The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting.

Affects Plugins

Fixed in 2.03

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0d2dc86e-f937-429f-9baa-0eb0a8715513

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Foxyyy

Verified

No

WPVDB ID

ebddcd9b-f173-45b9-b837-452d8ff37eeb

Timeline

Publicly Published

2024-06-07 (about 1 year ago)

Added

2024-06-07 (about 1 year ago)

Last Updated

2024-06-08 (about 1 year ago)

Other

Published

Title

Published

2025-06-05

Title

Taskbuilder < 4.0.8 - Missing Authorization

Published

2025-12-31

Title

Logger for Elementor <= 1.0.9 - Missing Authorization

Published

2023-06-02

Title

WooCommerce Box Office < 1.1.52 - Unauthenticated Ticket Barcode Update

Published

2024-10-24

Title

SEOPress < 8.2 - Missing Authorization

Published

2025-01-31

Title

RapidLoad – Optimize Web Vitals Automatically < 2.4.5 - Missing Authorization to Authenticated (Subscriber+) Limited Setting Reset