The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled.
References
Configurations
History
26 Aug 2024, 18:14
Type | Values Removed | Values Added |
---|---|---|
First Time |
Givewp
Givewp givewp |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
CPE | cpe:2.3:a:givewp:givewp:*:*:*:*:*:wordpress:*:* | |
References | () https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/EventTickets/Routes/UpdateEvent.php#L81 - Patch | |
References | () https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/src/EventTickets/Routes/UpdateEventTicketType.php#L78 - Patch | |
References | () https://plugins.trac.wordpress.org/changeset/3120745/ - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/d3cda8d0-321c-4b15-980e-5ebf49fac367?source=cve - Third Party Advisory |
20 Aug 2024, 15:44
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
20 Aug 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-20 02:15
Updated : 2024-08-26 18:14
NVD link : CVE-2024-5940
Mitre link : CVE-2024-5940
CVE.ORG link : CVE-2024-5940
JSON object : View
Products Affected
givewp
- givewp
CWE
CWE-862
Missing Authorization