Lucene search

K
cvelistWordfenceCVELIST:CVE-2024-5770
HistoryJun 08, 2024 - 4:32 a.m.

CVE-2024-5770 WP Force SSL & HTTPS SSL Redirect <= 1.66 - Missing Authorization to Settings Update

2024-06-0804:32:37
Wordfence
www.cve.org
4
wordpress
ssl
https
vulnerability
authorization

CVSS3

4.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

29.9%

The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘ajax_save_setting’ function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings.

CNA Affected

[
  {
    "vendor": "webfactory",
    "product": "WP Force SSL & HTTPS SSL Redirect",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.66",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

CVSS3

4.2

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

EPSS

0.001

Percentile

29.9%

Related for CVELIST:CVE-2024-5770