WordPress Plugin Vulnerabilities

Schema App Structured Data < 2.2.1 - Missing Authorization

Description

The Schema App Structured Data plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MarkupUpdate function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update or delete post metadata.

Affects Plugins

Plugin icon
schema-app-structured-data-for-schemaorg
Fixed in 2.2.1

References

CVE
CVE-2024-0893
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1089ab17-b780-4840-8dcd-c50258513634

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
fd8959d2-e7c1-4930-94de-f4f64bb5ad81

Timeline

Publicly Published
2024-05-23 (about 2 years ago)
Added
2024-05-23 (about 2 years ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2023-12-18
Title
Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update
Published
2025-12-19
Title
Bit Assist < 1.6.0 - Missing Authorization
Published
2022-08-01
Title
WP Edit Menu < 1.5.0 - Unauthenticated Arbitrary Post Deletion
Published
2024-12-02
Title
IdeaPush < 8.72 - Missing Authorization to Board Term Deletion
Published
2025-12-04
Title
Webcake – Landing Page Builder < 1.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update