WordPress Plugin Vulnerabilities

Plum: Spin Wheel & Email Pop-up <= 2.0 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

Description

The Plum: Spin Wheel & Email Pop-up plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on a function in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to perform Stored Cross-Site Scripting attacks.

Affects Plugins

Plugin icon
qodeblock
No known fix

References

CVE
CVE-2024-38744
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ac4f9453-f3d9-4ef5-8c4e-1d51ad194342

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
f97ce87e-9158-46c6-9c06-fe582abaf42c

Timeline

Publicly Published
2024-07-11 (about 1 year ago)
Added
2024-07-17 (about 1 year ago)
Last Updated
2024-07-17 (about 1 year ago)

Other

Published
Title
Published
2025-08-26
Title
Zephyr Project Manager < 3.3.202 - Missing Authorization
Published
2024-12-11
Title
Projectopia < 5.1.8 - Missing Authorization to Privilege Escalation via pto_reset_password()
Published
2024-12-14
Title
Dreamfox Media Payment gateway per Product for Woocommerce < 3.5.9 - Missing Authorization
Published
2024-04-22
Title
ARForms < 6.4.1 - Missing Authorization to Arbitrary File Deletion
Published
2024-07-04
Title
The Post Grid < 7.7.5 - Missing Authorization via REST API