CVE-2024-4410 Information

Jul 28, 2024 cve

Description

The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers with subscriber access or higher to execute various AJAX actions. This includes actions to change the permalink structure plugin settings and others.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/07b6aad4-fbaf-4c0c-b2b7-6e264a1afb9b?source=cve https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L186 https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L1162

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

LOW

Base Severity

5.4

Share on: