Lucene search

WordfenceCVELIST:CVE-2024-1850

HistoryApr 09, 2024 - 6:58 p.m.

CVE-2024-1850

2024-04-0918:58:46

Wordfence

www.cve.org

ai post generator

wordpress

unauthorized access

post modification

ajax actions

capability check

authenticated attackers

subscriber access

post deletion

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.2

Confidence

High

EPSS

Percentile

15.5%

JSON

The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized access, modification or deletion of posts due to a missing capability check on functions hooked by AJAX actions in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with subscriber access or higher, to view all posts generated with this plugin (even in non-published status), create new posts (and publish them), publish unpublished post or perform post deletions.

CNA Affected

[
  {
    "vendor": "kekotron",
    "product": "AI Post Generator | AutoWriter",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3056020%40ai-post-generator&new=3056020%40ai-post-generator&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3057511%40ai-post-generator&new=3057511%40ai-post-generator&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/43fc47ca-15ca-4817-b1b8-389245725e73?source=cve