Lucene search

[email protected]NVD:CVE-2024-4450

HistoryJun 19, 2024 - 4:15 a.m.

CVE-2024-4450

2024-06-1904:15:11

[email protected]

web.nvd.nist.gov

aliexpress

dropshipping

wordpress

vulnerability

unauthorized access

capability check

importajaxcontroller.php

authenticated attackers

subscriber-level access

product import

product modification

cve-2024-4450

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

0.0004 Low

EPSS

Percentile

13.5%

JSON

The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products.

References

plugins.trac.wordpress.org/browser/ali2woo-lite/trunk/includes/classes/controller/ImportAjaxController.php

www.wordfence.com/threat-intel/vulnerabilities/id/01836c2c-0976-493e-8b13-1c7c702d1d2c?source=cve