Lucene search

WordfenceVULNRICHMENT:CVE-2024-1850

HistoryApr 09, 2024 - 6:58 p.m.

CVE-2024-1850

2024-04-0918:58:46

Wordfence

github.com

ai post generator

autowriter

wordpress

unauthorized access

modification

deletion

capability check

ajax actions

authenticated attackers

subscriber access

post creation

post publication

post deletion

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.7

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized access, modification or deletion of posts due to a missing capability check on functions hooked by AJAX actions in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with subscriber access or higher, to view all posts generated with this plugin (even in non-published status), create new posts (and publish them), publish unpublished post or perform post deletions.

CNA Affected

[
  {
    "vendor": "kekotron",
    "product": "AI Post Generator | AutoWriter",
    "versions": [
      {
        "status": "affected",
        "version": "*",
        "versionType": "semver",
        "lessThanOrEqual": "3.3"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3056020%40ai-post-generator&new=3056020%40ai-post-generator&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3057511%40ai-post-generator&new=3057511%40ai-post-generator&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/43fc47ca-15ca-4817-b1b8-389245725e73?source=cve