WordPress Plugin Vulnerabilities

Comments Extra Fields For Post,Pages and CPT < 5.1 - Missing Authorization

Description

The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. This is due to missing or incorrect capability checks on several ajax actions. This makes it possible for authenticated attackers, with subscriber access or higher, to invoke those actions. As a result, they may modify comment form fields and update plugin settings.

Affects Plugins

Plugin icon
wp-comment-fields
Fixed in 5.1

References

CVE
CVE-2024-0829
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc5754c2-a052-41ac-af19-7c4f55860f95

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
ed7be2ea-d43c-47ca-a809-ad820612ad21

Timeline

Publicly Published
2024-02-26 (about 2 years ago)
Added
2024-02-26 (about 2 years ago)
Last Updated
2024-02-26 (about 2 years ago)

Other

Published
Title
Published
2025-10-05
Title
Nelio Content < 4.0.6 - Missing Authorization
Published
2023-10-05
Title
Profile Extra Fields by BestWebSoft < 1.2.8 - Unauthenticated Sensitive Data Disclosure
Published
2024-12-11
Title
Firebase OTP Authentication <= 1.0.1 - Missing Authorization to Privilege Escalation
Published
2024-03-11
Title
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Missing Authorization on publish_lp()
Published
2023-02-14
Title
WP VR < 8.2.8 - Subscriber+ Settings Update