The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.
References
Configurations
History
20 Nov 2024, 15:09
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:themify:builder:*:*:*:*:-:wordpress:*:* | |
First Time |
Themify builder
|
27 Sep 2024, 12:53
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:themify:themify_builder:*:*:*:*:*:wordpress:*:* | |
First Time |
Themify themify Builder
Themify |
|
References | () https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.6.1/classes/class-builder-duplicate-page.php#L41 - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/31dfc46c-a673-41f1-b701-aa832f004ebc?source=cve - Third Party Advisory |
22 Aug 2024, 12:48
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
22 Aug 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-22 03:15
Updated : 2024-11-20 15:09
NVD link : CVE-2024-7836
Mitre link : CVE-2024-7836
CVE.ORG link : CVE-2024-7836
JSON object : View
Products Affected
themify
- builder
CWE
CWE-863
Incorrect Authorization