CVE-2024-7380

The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete WordPress menus.
Configurations

Configuration 1 (hide)

cpe:2.3:a:infinitumform:geo_controller:*:*:*:*:*:wordpress:*:*

History

06 Sep 2024, 10:33

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/cf-geoplugin/tags/8.6.9/inc/classes/Menus.php#L519 - () https://plugins.trac.wordpress.org/browser/cf-geoplugin/tags/8.6.9/inc/classes/Menus.php#L519 - Product
References () https://plugins.trac.wordpress.org/browser/cf-geoplugin/tags/8.6.9/inc/classes/Menus.php#L606 - () https://plugins.trac.wordpress.org/browser/cf-geoplugin/tags/8.6.9/inc/classes/Menus.php#L606 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/280e1b4d-08be-4e77-abcb-5f9079111595?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/280e1b4d-08be-4e77-abcb-5f9079111595?source=cve - Third Party Advisory
First Time Infinitumform
Infinitumform geo Controller
Summary
  • (es) El complemento Geo Controller para WordPress es vulnerable a la creación o eliminación no autorizada de menús debido a la falta de comprobaciones de capacidad en las funciones ajax__geolocate_menu y ajax__geolocate_remove_menu en todas las versiones hasta la 8.6.9 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor o superior, creen o eliminen menús de WordPress.
CPE cpe:2.3:a:infinitumform:geo_controller:*:*:*:*:*:wordpress:*:*

05 Sep 2024, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-05 11:15

Updated : 2024-09-06 10:33


NVD link : CVE-2024-7380

Mitre link : CVE-2024-7380

CVE.ORG link : CVE-2024-7380


JSON object : View

Products Affected

infinitumform

  • geo_controller
CWE
CWE-862

Missing Authorization