Lucene search

WordfenceCVELIST:CVE-2024-1175

HistoryJun 06, 2024 - 3:53 a.m.

CVE-2024-1175 WP-Recall – Registration, Profile, Commerce & More <= 16.26.6 - Unauthenticated Payment Deletion via delete_payment

2024-06-0603:53:09

Wordfence

www.cve.org

cve-2024-1175

unauthenticated payment deletion

wp-recall

missing capability check

unauthorized data loss

arbitrary payments

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

17.0%

JSON

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ‘delete_payment’ function in all versions up to, and including, 16.26.6. This makes it possible for unauthenticated attackers to delete arbitrary payments.

CNA Affected

[
  {
    "vendor": "wppost",
    "product": "WP-Recall – Registration, Profile, Commerce & More",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "16.26.6",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

wordpress.org/plugins/wp-recall/

www.wordfence.com/threat-intel/vulnerabilities/id/6b84b13a-b46c-48fc-a7a8-de32c575d576?source=cve

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

17.0%

JSON

Related for CVELIST:CVE-2024-1175