CVE-2024-7836

The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.
Configurations

Configuration 1 (hide)

cpe:2.3:a:themify:themify_builder:*:*:*:*:*:wordpress:*:*

History

27 Sep 2024, 12:53

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.6.1/classes/class-builder-duplicate-page.php#L41 - () https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.6.1/classes/class-builder-duplicate-page.php#L41 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/31dfc46c-a673-41f1-b701-aa832f004ebc?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/31dfc46c-a673-41f1-b701-aa832f004ebc?source=cve - Third Party Advisory
First Time Themify themify Builder
Themify
CPE cpe:2.3:a:themify:themify_builder:*:*:*:*:*:wordpress:*:*

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) El complemento Themify Builder para WordPress es vulnerable a la duplicación de publicaciones no autorizada debido a la falta de controles en la función duplicate_page_ajaxify en todas las versiones hasta la 7.6.1 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel Colaborador y superior, dupliquen y vean publicaciones privadas o borradores creados por otros usuarios a los que de otro modo no deberían tener acceso.

22 Aug 2024, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-22 03:15

Updated : 2024-09-27 12:53


NVD link : CVE-2024-7836

Mitre link : CVE-2024-7836

CVE.ORG link : CVE-2024-7836


JSON object : View

Products Affected

themify

  • themify_builder
CWE
CWE-863

Incorrect Authorization