CVE-2024-0366

The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.
Configurations

Configuration 1 (hide)

cpe:2.3:a:squirrly:starbox:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:46

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - Issue Tracking () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - Issue Tracking
References () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - Issue Tracking () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - Issue Tracking
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - Third Party Advisory

13 Feb 2024, 17:05

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - () https://plugins.trac.wordpress.org/changeset/3028775/starbox/trunk?contextall=1&old=3000701&old_path=%2Fstarbox%2Ftrunk - Issue Tracking
References () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - () https://plugins.trac.wordpress.org/browser/starbox/trunk/core/UserSettings.php - Issue Tracking
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/c47601b4-bf16-4f59-b5f3-584a8eac7c67?source=cve - Third Party Advisory
First Time Squirrly
Squirrly starbox
CWE CWE-639
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
CPE cpe:2.3:a:squirrly:starbox:*:*:*:*:*:wordpress:*:*

05 Feb 2024, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-05 22:16

Updated : 2024-11-21 08:46


NVD link : CVE-2024-0366

Mitre link : CVE-2024-0366

CVE.ORG link : CVE-2024-0366


JSON object : View

Products Affected

squirrly

  • starbox
CWE
CWE-639

Authorization Bypass Through User-Controlled Key