CVE-2024-13368

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13368
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary site options to a value of one.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.2/includes/admin/core/functions/youzify-general-functions.php#L961 Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2abd5b-3067-4dcd-a650-b543fa03437b?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:kainelabs:youzify:*:*:*:*:free:wordpress:*:*
History

04 Feb 2025, 19:39

Type Values Removed Values Added
Summary
  • (es) El complemento Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin para WordPress es vulnerable al acceso no autorizado debido a una verificación de capacidad faltante en la función youzify_offer_banner() en todas las versiones hasta la 1.3.2 y incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, actualicen opciones arbitrarias del sitio a un valor de uno.
First Time Kainelabs
Kainelabs youzify
References () https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.2/includes/admin/core/functions/youzify-general-functions.php#L961 - () https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.2/includes/admin/core/functions/youzify-general-functions.php#L961 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2abd5b-3067-4dcd-a650-b543fa03437b?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/ad2abd5b-3067-4dcd-a650-b543fa03437b?source=cve - Third Party Advisory
CPE cpe:2.3:a:kainelabs:youzify:*:*:*:*:free:wordpress:*:*

25 Jan 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-25 08:15

Updated : 2025-02-04 19:39

NVD link : CVE-2024-13368

Mitre link : CVE-2024-13368

CVE.ORG link : CVE-2024-13368

JSON object : View

Products Affected

kainelabs

  • youzify
CWE
CWE-862

Missing Authorization