Lucene search

WordfenceCVELIST:CVE-2024-3608

HistoryJul 09, 2024 - 8:33 a.m.

CVE-2024-3608 Product Designer <= 1.0.33 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion

2024-07-0908:33:04

Wordfence

www.cve.org

wordpress

product designer

vulnerability

unauthorized access

attachment deletion

cve-2024-3608

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

9.2%

JSON

The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the product_designer_ajax_delete_attach_id() function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary attachments.

CNA Affected

[
  {
    "vendor": "pickplugins",
    "product": "Product Designer",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.0.33",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/product-designer/trunk/includes/designer-function.php#L412

www.wordfence.com/threat-intel/vulnerabilities/id/2f127fe5-67b8-40e1-a916-c607410b08b3?source=cve

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

9.2%

JSON

Related for CVELIST:CVE-2024-3608