Lucene search

[email protected]NVD:CVE-2024-0324

HistoryFeb 05, 2024 - 10:15 p.m.

CVE-2024-0324

2024-02-0522:15:59

CWE-862

[email protected]

web.nvd.nist.gov

wordpress

user profile builder

vulnerability

2fa

unauthorized modification

data

premium

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

32.1%

JSON

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wppb_two_factor_authentication_settings_update’ function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.

Affected configurations

Nvd

Node

cozmoslabsprofile_builderRange≤3.10.8wordpress

VendorProductVersionCPE
cozmoslabsprofile_builder*cpe:2.3:a:cozmoslabs:profile_builder:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
cozmoslabs	profile_builder	*	cpe:2.3:a:cozmoslabs:profile_builder::::::wordpress::*

References

github.com/WordpressPluginDirectory/profile-builder/blob/main/profile-builder/admin/admin-functions.php#L517

plugins.trac.wordpress.org/changeset/3022354/

www.wordfence.com/threat-intel/vulnerabilities/id/23caef95-36b6-40aa-8dd7-51a376790a40?source=cve

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

32.1%

JSON

Related for NVD:CVE-2024-0324

wpvulndb1 prion1 cve1 cvelist1 wordfence1