CVE-2024-9215 – The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress …

17 October 2024

Vuln ID: CVE-2024-9215

Published: 2024-10-17 02:15:02.977

Description: The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the ‘authors-user_id’ user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user’s account password and gain access.

Base Score: 8.8 – HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source: NVD.NIST.GOV

Date:

17 October 2024

Categorie(s):

NVD

Tag(s):

NVD

New infosec products of the week: October 18, 202418 October 2024
CyberRisk TV live show wrap up from Oktane 202418 October 2024
Oktane 2024: Staying ahead of identity threats – David Bradbury 18 October 2024
Uncle Sam puts $10M bounty on Russian troll farm Rybar18 October 2024
Cicada3301 ransomware affiliate program infiltrated by security researchers18 October 2024