WordPress Plugin Vulnerabilities

Themify Builder < 7.6.2 - Missing Authorization to Authenticated (Contributor+) Post Duplication

Description

The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.

Affects Plugins

Plugin icon
themify-builder
Fixed in 7.6.2

References

CVE
CVE-2024-7836
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/31dfc46c-a673-41f1-b701-aa832f004ebc

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
f45acda0-03e0-42b1-a489-411b93781c9e

Timeline

Publicly Published
2024-08-21 (about 1 year ago)
Added
2024-08-21 (about 1 year ago)
Last Updated
2024-08-22 (about 1 year ago)

Other

Published
Title
Published
2026-04-20
Title
Responsive Blocks < 2.2.1 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter
Published
2024-03-12
Title
Awesome Support < 6.1.7 - Insufficient Authorization via wpas_can_delete_attachments()
Published
2022-02-02
Title
Custom Content Shortcode < 4.0.1 - Unauthorised Arbitrary Post Metadata Access
Published
2023-06-05
Title
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
Published
2024-12-16
Title
Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass