CVE-2024-2505

2024-04-2906:15:07

WPScan

web.nvd.nist.gov

gamipress

wordpress plugin

access control

vulnerability

settings

authors

subscribers

unauthorized users

nvd

cve-2024-2505

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

6.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

The GamiPress WordPress plugin before 6.8.9’s access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations.

Affected configurations

Vulners

Vulnrichment

Node

gamipressgamipressRange<6.8.9wordpress

VendorProductVersionCPE
gamipressgamipress*cpe:2.3:a:gamipress:gamipress:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
gamipress	gamipress	*	cpe:2.3:a:gamipress:gamipress::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "GamiPress ",
    "versions": [
      {
        "status": "affected",
        "versionType": "semver",
        "version": "0",
        "lessThan": "6.8.9"
      }
    ],
    "defaultStatus": "unaffected"
  }
]