CVE-2024-9829 – The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due …

23 October 2024

Vuln ID: CVE-2024-9829

Published: 2024-10-23 06:15:11.007

Description: The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the ‘dpwap_handle_download_user’ and ‘dpwap_handle_download_comment’ functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed.

Base Score: 6.5 – MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Source: NVD.NIST.GOV

Date:

23 October 2024

Categorie(s):

NVD

Tag(s):

NVD

70% of Leaders See Cyber Knowledge Gap in Employees23 October 2024
Attackers Use Encoded JavaScript to Deliver Malware23 October 2024
6 facts for CentOS users who are holding on23 October 2024
CISOs respond: 49% of CISOs plan to leave role without industry action23 October 2024
Internet Archive Secures Zendesk Account, Works Toward Full-Service Restoration23 October 2024