WordPress Plugin Vulnerabilities

ApplyOnline – Application Form Builder and Manager < 2.6.3 - Missing Authorization to Sensitive Information Exposure

Description

The ApplyOnline – Application Form Builder and Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the aol_modal_box AJAX action in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with subscriber access or higher, to view Application submissions.

Affects Plugins

Plugin icon
apply-online
Fixed in 2.6.3

References

CVE
CVE-2024-2036
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3eff4992-dbd4-4b9b-872e-1670ce7dab9d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
f73f40bd-b906-4e99-8ba7-0eea198130c4

Timeline

Publicly Published
2024-05-21 (about 2 years ago)
Added
2024-05-21 (about 2 years ago)
Last Updated
2024-06-05 (about 1 year ago)

Other

Published
Title
Published
2024-01-03
Title
Void Contact Form 7 Widget For Elementor Page Builder < 2.4 - Missing Authorization
Published
2025-09-05
Title
Ray Enterprise Translation <= 1.7.1 - Missing Authorization
Published
2025-05-02
Title
Visual Builder < 1.3 - Missing Authorization
Published
2023-09-05
Title
Click To Tweet <= 2.0.14 - Missing Authorization
Published
2025-11-19
Title
Basel < 5.9.2 - Missing Authorization