CVE-2024-5324

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-5324
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83 Patch
https://plugins.trac.wordpress.org/changeset/3093994/ Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/005a27c6-b9eb-466c-b0c3-ce52c25bb321?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xootix:login\/signup_popup:2.7.1:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:login\/signup_popup:2.7.2:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:otp_login_woocommerce_\&_gravity_forms:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:side_cart_woocommerce:2.5:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:waitlist_woocommerce:*:*:*:*:*:wordpress:*:*
History

24 Jul 2024, 17:42

Type Values Removed Values Added
CPE cpe:2.3:a:xootix:otp_login_woocommerce_\&_gravity_forms:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:side_cart_woocommerce:2.5:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:waitlist_woocommerce:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:login\/signup_popup:2.7.2:*:*:*:*:wordpress:*:*
cpe:2.3:a:xootix:login\/signup_popup:2.7.1:*:*:*:*:wordpress:*:*
First Time Xootix otp Login Woocommerce \& Gravity Forms
Xootix
Xootix waitlist Woocommerce
Xootix side Cart Woocommerce
Xootix login\/signup Popup
CWE CWE-863
References () https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83 - () https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83 - Patch
References () https://plugins.trac.wordpress.org/changeset/3093994/ - () https://plugins.trac.wordpress.org/changeset/3093994/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/005a27c6-b9eb-466c-b0c3-ce52c25bb321?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/005a27c6-b9eb-466c-b0c3-ce52c25bb321?source=cve - Third Party Advisory

06 Jun 2024, 14:17

Type Values Removed Values Added
Summary
  • (es) El complemento Login/Signup Popup (Inline Form + Woocommerce) para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función 'import_settings' en las versiones 2.7.1 a 2.7.2. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, cambien opciones arbitrarias en los sitios afectados. Esto se puede utilizar para habilitar el registro de nuevos usuarios y establecer la función predeterminada para los nuevos usuarios en Administrador.

06 Jun 2024, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-06 02:15

Updated : 2024-07-24 17:42

NVD link : CVE-2024-5324

Mitre link : CVE-2024-5324

CVE.ORG link : CVE-2024-5324

JSON object : View

Products Affected

xootix

  • otp_login_woocommerce_\&_gravity_forms
  • login\/signup_popup
  • waitlist_woocommerce
  • side_cart_woocommerce
CWE
CWE-863

Incorrect Authorization