Lucene search

WordfenceCVE-2024-5324

HistoryJun 06, 2024 - 2:15 a.m.

CVE-2024-5324

2024-06-0602:15:54

CWE-863

Wordfence

web.nvd.nist.gov

cve-2024-5324

unauthorized modification

wordpress

authentication bypass

subscriber access

administrator role

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

28.3%

JSON

The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘import_settings’ function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Affected configurations

Nvd

Vulners

Vulnrichment

Node

xootixlogin\/signup_popupMatch2.7.1wordpress

xootixlogin\/signup_popupMatch2.7.2wordpress

xootixotp_login_woocommerce_\&_gravity_formsRange<2.6.2wordpress

xootixside_cart_woocommerceMatch2.5wordpress

xootixwaitlist_woocommerceRange<2.6.1wordpress

VendorProductVersionCPE
xootixlogin\/signup_popup2.7.1cpe:2.3:a:xootix:login\/signup_popup:2.7.1:*:*:*:*:wordpress:*:*
xootixlogin\/signup_popup2.7.2cpe:2.3:a:xootix:login\/signup_popup:2.7.2:*:*:*:*:wordpress:*:*
xootixotp_login_woocommerce_\&_gravity_forms*cpe:2.3:a:xootix:otp_login_woocommerce_\&_gravity_forms:*:*:*:*:*:wordpress:*:*
xootixside_cart_woocommerce2.5cpe:2.3:a:xootix:side_cart_woocommerce:2.5:*:*:*:*:wordpress:*:*
xootixwaitlist_woocommerce*cpe:2.3:a:xootix:waitlist_woocommerce:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
xootix	login\/signup_popup	2.7.1	cpe:2.3:a:xootix:login\/signup_popup:2.7.1:::::wordpress::
xootix	login\/signup_popup	2.7.2	cpe:2.3:a:xootix:login\/signup_popup:2.7.2:::::wordpress::
xootix	otp_login_woocommerce_\&_gravity_forms	*	cpe:2.3:a:xootix:otp_login_woocommerce_\&_gravity_forms::::::wordpress::*
xootix	side_cart_woocommerce	2.5	cpe:2.3:a:xootix:side_cart_woocommerce:2.5:::::wordpress::
xootix	waitlist_woocommerce	*	cpe:2.3:a:xootix:waitlist_woocommerce::::::wordpress::*

CNA Affected

[
  {
    "vendor": "xootix",
    "product": "Login/Signup Popup ( Inline Form + Woocommerce )",
    "versions": [
      {
        "version": "2.7.1",
        "status": "affected",
        "lessThanOrEqual": "2.7.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/easy-login-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83

plugins.trac.wordpress.org/changeset/3093994/

www.wordfence.com/threat-intel/vulnerabilities/id/005a27c6-b9eb-466c-b0c3-ce52c25bb321?source=cve

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.2

Confidence

High

EPSS

0.001

Percentile

28.3%

JSON

Related for CVE-2024-5324