CVE-2024-4788

The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content.
Configurations

Configuration 1 (hide)

cpe:2.3:a:woostify:boostify_header_footer_builder_for_elementor:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 09:43

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/boostify-header-footer-builder/trunk/inc/admin/class-admin.php#L280 - Patch () https://plugins.trac.wordpress.org/browser/boostify-header-footer-builder/trunk/inc/admin/class-admin.php#L280 - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/1090acfc-5b0c-478a-ac71-db54fdaefdf5?source=cve - Patch, Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/1090acfc-5b0c-478a-ac71-db54fdaefdf5?source=cve - Patch, Third Party Advisory

05 Aug 2024, 20:23

Type Values Removed Values Added
First Time Woostify
Woostify boostify Header Footer Builder For Elementor
CPE cpe:2.3:a:woostify:boostify_header_footer_builder_for_elementor:*:*:*:*:*:wordpress:*:*
CWE CWE-862
References () https://plugins.trac.wordpress.org/browser/boostify-header-footer-builder/trunk/inc/admin/class-admin.php#L280 - () https://plugins.trac.wordpress.org/browser/boostify-header-footer-builder/trunk/inc/admin/class-admin.php#L280 - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/1090acfc-5b0c-478a-ac71-db54fdaefdf5?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/1090acfc-5b0c-478a-ac71-db54fdaefdf5?source=cve - Patch, Third Party Advisory

06 Jun 2024, 14:17

Type Values Removed Values Added
Summary
  • (es) El complemento Boostify Header Footer Builder para Elementor para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función create_bhf_post en todas las versiones hasta la 1.3.3 incluida. Esto hace posible que atacantes autenticados, con acceso a nivel de suscriptor y superior, creen páginas o publicaciones con contenido arbitrario.

06 Jun 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 02:15

Updated : 2024-11-21 09:43


NVD link : CVE-2024-4788

Mitre link : CVE-2024-4788

CVE.ORG link : CVE-2024-4788


JSON object : View

Products Affected

woostify

  • boostify_header_footer_builder_for_elementor
CWE
CWE-862

Missing Authorization