CVE-2024-4450

The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ali2woo:aliexpress_dropshipping_with_alinext:*:*:*:*:lite:wordpress:*:*

History

21 Nov 2024, 09:42

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk/includes/classes/controller/ImportAjaxController.php - Product () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk/includes/classes/controller/ImportAjaxController.php - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/01836c2c-0976-493e-8b13-1c7c702d1d2c?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/01836c2c-0976-493e-8b13-1c7c702d1d2c?source=cve - Third Party Advisory

20 Sep 2024, 00:22

Type Values Removed Values Added
CPE cpe:2.3:a:ali2woo:aliexpress_dropshipping_with_alinext:*:*:*:*:lite:wordpress:*:*
CWE CWE-862
First Time Ali2woo aliexpress Dropshipping With Alinext
Ali2woo
References () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk/includes/classes/controller/ImportAjaxController.php - () https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk/includes/classes/controller/ImportAjaxController.php - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/01836c2c-0976-493e-8b13-1c7c702d1d2c?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/01836c2c-0976-493e-8b13-1c7c702d1d2c?source=cve - Third Party Advisory

20 Jun 2024, 12:44

Type Values Removed Values Added
Summary
  • (es) El complemento AliExpress Dropshipping con AliNext Lite para WordPress es vulnerable al acceso no autorizado debido a una falta de verificación de capacidad en varias funciones en el archivo ImportAjaxController.php en todas las versiones hasta la 3.3.5 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, realicen varias acciones como importar y modificar productos.

19 Jun 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-19 04:15

Updated : 2024-11-21 09:42


NVD link : CVE-2024-4450

Mitre link : CVE-2024-4450

CVE.ORG link : CVE-2024-4450


JSON object : View

Products Affected

ali2woo

  • aliexpress_dropshipping_with_alinext
CWE
CWE-862

Missing Authorization