Visualizer: Tables and Charts Manager for WordPress < 3.11.0 – Missing Authorization to Arbitrary SQL Execution | CVE 2024-3750 | Plugin Vulnerabilities

Description

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on the getQueryData() function in all versions up to, and including, 3.10.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform arbitrary SQL queries that can be leveraged for privilege escalation among many other actions.

Affects Plugins

Fixed in 3.11.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6d27544c-97a5-42cd-ab07-358f819acbc4

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Verified

No

WPVDB ID

f0d894d4-7dce-4ed4-9e89-642da7549fbf

Timeline

Publicly Published

2024-05-15 (about 1 year ago)

Added

2024-05-15 (about 1 year ago)

Last Updated

2024-05-15 (about 1 year ago)

Other

Published

Title

Published

2025-07-19

Title

Breeze Checkout <= 1.4.0 - Missing Authorization

Published

2024-03-12

Title

Bulgarisation for WooCommerce < 3.0.15 - Missing Authorization

Published

2025-01-16

Title

Loginplus <= 1.2 - Missing Authorization

Published

2026-01-24

Title

Integrate Google Drive <= 1.5.6 - Missing Authorization

Published

2024-04-10

Title

Restrict Content < 3.2.9 - Missing Authorization