Read More & Accordion < 3.4.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary 'Read More' Post Deletion | CVE 2024-13639 | Plugin Vulnerabilities

Description

The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts.

Affects Plugins

Fixed in 3.4.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/65849267-8bb5-48fd-b95e-e89a1e744fe0

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

theviper17y

Verified

No

WPVDB ID

ece6ccc4-ae11-4c1b-9007-e487ccbe3c03

Timeline

Publicly Published

2025-02-12 (about 1 year ago)

Added

2025-02-12 (about 1 year ago)

Last Updated

2025-02-13 (about 1 year ago)

Other

Published

Title

Published

2026-02-18

Title

Breeze – WordPress Cache Plugin < 2.2.22 - Missing Authorization to Cache Deletion

Published

2025-04-02

Title

WR Price List Manager For Woocommerce <= 1.0.8 - Missing Authorization to Arbitrary Content Deletion

Published

2025-09-05

Title

Payoneer Checkout < 3.5.0 - Missing Authorization

Published

2023-09-04

Title

WiserNotify Social Proof < 2.6 - Missing Authorization

Published

2024-12-05

Title

Message Filter for Contact Form 7 < 1.6.3.1 - Subscriber+ Filter Updates/Deletions