CVE-2024-13370

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13370
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the save_addon_key_license() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options to a value of a valid license key.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.2/includes/admin/class-youzify-admin.php?desc=1#L1348 Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f234d676-86ac-47ab-b8b3-b0459cbb4538?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:kainelabs:youzify:*:*:*:*:free:wordpress:*:*
History

04 Feb 2025, 19:38

Type Values Removed Values Added
Summary
  • (es) El complemento Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin para WordPress es vulnerable al acceso no autorizado debido a una verificación de capacidad faltante en la función save_addon_key_license() en todas las versiones hasta la 1.3.2 y incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, actualicen opciones arbitrarias a un valor de una clave de licencia válida.
CPE cpe:2.3:a:kainelabs:youzify:*:*:*:*:free:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.2/includes/admin/class-youzify-admin.php?desc=1#L1348 - () https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.2/includes/admin/class-youzify-admin.php?desc=1#L1348 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/f234d676-86ac-47ab-b8b3-b0459cbb4538?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/f234d676-86ac-47ab-b8b3-b0459cbb4538?source=cve - Third Party Advisory
First Time Kainelabs
Kainelabs youzify

25 Jan 2025, 08:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-25 08:15

Updated : 2025-02-04 19:38

NVD link : CVE-2024-13370

Mitre link : CVE-2024-13370

CVE.ORG link : CVE-2024-13370

JSON object : View

Products Affected

kainelabs

  • youzify
CWE
CWE-862

Missing Authorization