WordPress Plugin Vulnerabilities

Spectra < 2.13.8 - Missing Authorization via generate_ai_content

Description

The Spectra plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the generate_ai_content() function in versions up to, and including, 2.13.7. This makes it possible for authenticated attackers, with contributor-level access and above, to generate AI content.

Affects Plugins

Plugin icon
ultimate-addons-for-gutenberg
Fixed in 2.13.8

References

CVE
CVE-2024-37517
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/eacfcc78-b4c3-46ba-a9d3-302fd207dd33

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
ec1a4969-7465-49fd-8924-e22df0867823

Timeline

Publicly Published
2024-07-05 (about 1 year ago)
Added
2024-07-10 (about 1 year ago)
Last Updated
2024-07-10 (about 1 year ago)

Other

Published
Title
Published
2024-08-22
Title
WBW Product Table Pro < 1.9.5 - Unauthenticated Arbitrary SQL Execution
Published
2025-06-19
Title
WP User Profile Avatar <= 1.0.6 - Missing Authorization
Published
2026-01-13
Title
Breeze < 2.2.22 - Missing Authorization
Published
2025-12-14
Title
Accessibility by AudioEye < 1.1.0 - Missing Authorization
Published
2025-12-15
Title
Yaad Sarig Payment Gateway For WC <= 2.2.10 - Missing Authorization