CVE-2024-6836

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple functions in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to update multiple settings, including templates, designs, checkouts, and other plugin settings.
Configurations

Configuration 1 (hide)

cpe:2.3:a:funnelkit:funnel_builder:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 09:50

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/funnel-builder/trunk/modules/checkouts/includes/class-wfacp-ajax-controller.php - Patch () https://plugins.trac.wordpress.org/browser/funnel-builder/trunk/modules/checkouts/includes/class-wfacp-ajax-controller.php - Patch
References () https://plugins.trac.wordpress.org/changeset/3123202/ - Patch () https://plugins.trac.wordpress.org/changeset/3123202/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d9022afe-0c79-413b-ac0a-a1d32ec09619?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/d9022afe-0c79-413b-ac0a-a1d32ec09619?source=cve - Third Party Advisory

29 Jul 2024, 20:20

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/browser/funnel-builder/trunk/modules/checkouts/includes/class-wfacp-ajax-controller.php - () https://plugins.trac.wordpress.org/browser/funnel-builder/trunk/modules/checkouts/includes/class-wfacp-ajax-controller.php - Patch
References () https://plugins.trac.wordpress.org/changeset/3123202/ - () https://plugins.trac.wordpress.org/changeset/3123202/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d9022afe-0c79-413b-ac0a-a1d32ec09619?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/d9022afe-0c79-413b-ac0a-a1d32ec09619?source=cve - Third Party Advisory
CPE cpe:2.3:a:funnelkit:funnel_builder:*:*:*:*:*:wordpress:*:*
First Time Funnelkit funnel Builder
Funnelkit

24 Jul 2024, 12:55

Type Values Removed Values Added
Summary
  • (es) El complemento Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en múltiples funciones en todas las versiones hasta e incluyendo 3.4.6. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, actualicen múltiples configuraciones, incluidas plantillas, diseños, pagos y otras configuraciones de complementos.

24 Jul 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-24 06:15

Updated : 2024-11-21 09:50


NVD link : CVE-2024-6836

Mitre link : CVE-2024-6836

CVE.ORG link : CVE-2024-6836


JSON object : View

Products Affected

funnelkit

  • funnel_builder
CWE
CWE-862

Missing Authorization