CVE-2024-8123

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicate_post function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate posts written by other authors including admins. This includes the ability to duplicate password-protected posts, which reveals their contents.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpextended:wp_extended:*:*:*:*:*:wordpress:*:*

History

06 Sep 2024, 17:20

Type Values Removed Values Added
First Time Wpextended
Wpextended wp Extended
CPE cpe:2.3:a:wpextended:wp_extended:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_duplicator/wpext_duplicator.php#L48 - () https://plugins.trac.wordpress.org/browser/wpextended/trunk/includes/modules/core_extensions/wpext_duplicator/wpext_duplicator.php#L48 - Product
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3145430%40wpextended%2Ftrunk&old=3134345%40wpextended%2Ftrunk&sfp_email=&sfph_mail= - () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3145430%40wpextended%2Ftrunk&old=3134345%40wpextended%2Ftrunk&sfp_email=&sfph_mail= - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/b1e421fb-4839-4e2d-911f-e2fa8c756744?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/b1e421fb-4839-4e2d-911f-e2fa8c756744?source=cve - Third Party Advisory

04 Sep 2024, 13:05

Type Values Removed Values Added
Summary
  • (es) El complemento The Ultimate WordPress Toolkit – WP Extended para WordPress es vulnerable a la referencia directa a objetos inseguros en todas las versiones hasta la 3.0.8 incluida a través de la función duplicate_post debido a la falta de validación en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, dupliquen publicaciones escritas por otros autores, incluidos los administradores. Esto incluye la capacidad de duplicar publicaciones protegidas con contraseña, lo que revela su contenido.

04 Sep 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-04 07:15

Updated : 2024-09-06 17:20


NVD link : CVE-2024-8123

Mitre link : CVE-2024-8123

CVE.ORG link : CVE-2024-8123


JSON object : View

Products Affected

wpextended

  • wp_extended
CWE
CWE-639

Authorization Bypass Through User-Controlled Key