WordPress Plugin Vulnerabilities

MoveTo <= 6.2 - Missing Authorization to Unauthenticated Options Update

Description

The moveto plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.2. This makes it possible for unauthenticated attackers to update arbitrary WordPress options, potentially leading to site takeover.

Affects Plugins

Plugin icon
moveto
No known fix

References

CVE
CVE-2024-25912
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/733ddf62-278b-4a2d-9dc5-28db3491cb29

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
f44042de-0daf-4c22-b64c-d06f64b62a5d

Timeline

Publicly Published
2024-02-12 (about 2 years ago)
Added
2024-02-14 (about 2 years ago)
Last Updated
2024-02-14 (about 2 years ago)

Other

Published
Title
Published
2023-06-02
Title
WooCommerce Box Office < 1.1.52 - Unauthenticated Ticket Barcode Update
Published
2025-04-09
Title
Embedder 1.3 - 1.3.5 - Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-05-17
Title
Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Settings Update
Published
2025-01-09
Title
Essential WP Real Estate <= 1.1.3 - Unauthenticated Arbitrary Post/Page Deletion
Published
2024-04-25
Title
Client Dash <= 2.2.1 - Missing Authorization