CVE-2024-2017

The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the conditionsRow and switchCountdown functions in all versions up to, and including, 2.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject PHP Objects and modify the status of countdowns.
Configurations

Configuration 1 (hide)

cpe:2.3:a:edmonsoft:countdown_builder:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 09:08

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51 - Product () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51 - Product
References () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92 - Product () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92 - Product
References () https://plugins.trac.wordpress.org/changeset/3096150/ - Patch () https://plugins.trac.wordpress.org/changeset/3096150/ - Patch
References () https://plugins.trac.wordpress.org/changeset/3097588/ - Patch () https://plugins.trac.wordpress.org/changeset/3097588/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve - Third Party Advisory

25 Jul 2024, 13:02

Type Values Removed Values Added
CWE CWE-862
First Time Edmonsoft
Edmonsoft countdown Builder
CPE cpe:2.3:a:edmonsoft:countdown_builder:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51 - () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L51 - Product
References () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92 - () https://plugins.trac.wordpress.org/browser/countdown-builder/trunk/classes/Ajax.php#L92 - Product
References () https://plugins.trac.wordpress.org/changeset/3096150/ - () https://plugins.trac.wordpress.org/changeset/3096150/ - Patch
References () https://plugins.trac.wordpress.org/changeset/3097588/ - () https://plugins.trac.wordpress.org/changeset/3097588/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/d8fab229-cd6b-45a3-9e80-a03a1704ad3e?source=cve - Third Party Advisory

06 Jun 2024, 14:17

Type Values Removed Values Added
Summary
  • (es) El complemento Countdown, Coming Soon, Maintenance – Countdown & Clock para WordPress es vulnerable al acceso no autorizado debido a una falta de verificación de capacidad en las funciones conditionRow y switchCountdown en todas las versiones hasta la 2.7.8 incluida. Esto hace posible que atacantes autenticados, con acceso a nivel de suscriptor y superior, inyecten objetos PHP y modifiquen el estado de las cuentas regresivas.

06 Jun 2024, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 03:15

Updated : 2024-11-21 09:08


NVD link : CVE-2024-2017

Mitre link : CVE-2024-2017

CVE.ORG link : CVE-2024-2017


JSON object : View

Products Affected

edmonsoft

  • countdown_builder
CWE
CWE-862

Missing Authorization