CVE-2024-0366

The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.
Configurations

Configuration 1 (hide)

cpe:2.3:a:squirrly:starbox:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:46

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - Issue Tracking () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - Issue Tracking
References () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - Issue Tracking () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - Issue Tracking
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - Third Party Advisory

13 Feb 2024, 17:05

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - Issue Tracking
References () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - Issue Tracking
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - Third Party Advisory
Summary
  • (es) El complemento Starbox – the Author Box for Humans para WordPress es vulnerable a Insecure Direct Object Reference en todas las versiones hasta la 3.4.7 incluida, a través de la función de acción debido a la falta de validación en una clave controlada por el usuario. Esto hace posible que los suscriptores vean las preferencias de complementos y potencialmente otras configuraciones de usuario.
CPE cpe:2.3:a:squirrly:starbox:*:*:*:*:*:wordpress:*:*
First Time Squirrly starbox
Squirrly
CWE CWE-639

05 Feb 2024, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-05 22:16

Updated : 2024-11-21 08:46


NVD link : CVE-2024-0366

Mitre link : CVE-2024-0366

CVE.ORG link : CVE-2024-0366


JSON object : View

Products Affected

squirrly

  • starbox
CWE
CWE-639

Authorization Bypass Through User-Controlled Key