WordPress Plugin Vulnerabilities

NextMove Lite < 2.18.0 - Subscriber+ Arbitrary Plugin Installation/Activation

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'xl_addon_installation' function, allowing authenticated attackers, with subscriber access and above, to install and activate arbitrary plugins.

Affects Plugins

Plugin icon
woo-thank-you-page-nextmove-lite
Fixed in 2.18.0

References

CVE
CVE-2024-25092
URL
https://patchstack.com/database/vulnerability/woo-thank-you-page-nextmove-lite/wordpress-nextmove-lite-plugin-2-17-0-subscriber-arbitrary-plugin-installation-activation-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
beluga
Verified
No
WPVDB ID
f7993326-65ea-429a-97ec-89b1f3b85a22

Timeline

Publicly Published
2024-02-09 (about 2 years ago)
Added
2024-02-12 (about 2 years ago)
Last Updated
2024-02-13 (about 2 years ago)

Other

Published
Title
Published
2023-10-03
Title
Redirection for Contact Form 7 < 3.0.0 - Missing Authorization
Published
2026-05-12
Title
Broadstreet < 1.53.2 - Subscriber+ Arbitrary Advertiser Creation
Published
2025-09-22
Title
AppMySite < 3.15.1 - Missing Authorization
Published
2023-09-22
Title
Ad Inserter – Ad Manager & AdSense Ads < 2.7.31 - Unauthenticated Sensitive Information Exposure
Published
2026-04-07
Title
Smart Slider 3 < 3.5.1.34 - Contributor+ Slider Data Read and Image Record Manipulation