Leopard – WordPress offload media <= 2.0.36 – Missing Authorization to Authenticated (Subscriber+) Settings Update | CVE 2024-43256 | Plugin Vulnerabilities

Description

The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.36. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

Affects Plugins

leopard-wordpress-offload-media

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/35b1fb1a-a12c-4938-a2d2-74e291db76ef

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dave Jong

Verified

No

WPVDB ID

ee80a1cc-8cef-4c17-8d00-a0f3f6fecdfe

Timeline

Publicly Published

2024-08-12 (about 1 year ago)

Added

2024-08-22 (about 1 year ago)

Last Updated

2024-08-22 (about 1 year ago)

Other

Published

Title

Published

2023-10-11

Title

IMPress Listings <= 2.6.2 - Missing Authorization

Published

2025-12-15

Title

Read More & Accordion < 3.5.6 - Missing Authorization

Published

2023-07-10

Title

Buy Me a Coffee – Button and Widget Plugin < 3.8 - Subscriber+ Unauthorized Data Modification

Published

2024-11-20

Title

Ultimate Member < 2.9.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update

Published

2023-11-28

Title

Download canvasio3D Light <= 2.5.0 - Subscriber+ Entries Update/Deletion