CVE-2024-10802

The Hash Elements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hash_elements_get_posts_title_by_id() function in all versions up to, and including, 1.4.7. This makes it possible for unauthenticated attackers to retrieve draft post titles that should not be accessible to unauthenticated users.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3186151%40hash-elements&new=3186151%40hash-elements&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/010590bc-98fb-4afe-9c5e-80ad4c50a34e?source=cve

Configurations

No configuration.

History

13 Nov 2024, 17:01

Type	Values Removed	Values Added
Summary		(es) El complemento Hash Elements para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la función hash_elements_get_posts_title_by_id() en todas las versiones hasta la 1.4.7 incluida. Esto permite que atacantes no autenticados recuperen borradores de títulos de publicaciones que no deberían ser accesibles para usuarios no autenticados.

13 Nov 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-13 04:15

Updated : 2024-11-13 17:01

NVD link : CVE-2024-10802

Mitre link : CVE-2024-10802

CVE.ORG link : CVE-2024-10802

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

5.3 /10