The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group leader-level access and above, to change admin account email addresses which can subsequently lead to admin account access.
References
Link | Resource |
---|---|
https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350 | Third Party Advisory |
https://www.wordfence.com/threat-intel/vulnerabilities/id/64cf0ae2-8d66-40d1-8bb6-0cab1dafab0d?source=cve | Third Party Advisory |
Configurations
History
02 Oct 2024, 16:50
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:uncannyowl:uncanny_groups_for_learndash:*:*:*:*:*:wordpress:*:* | |
First Time |
Uncannyowl uncanny Groups For Learndash
Uncannyowl |
|
References | () https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350 - Third Party Advisory | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/64cf0ae2-8d66-40d1-8bb6-0cab1dafab0d?source=cve - Third Party Advisory |
26 Sep 2024, 13:32
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
25 Sep 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-25 03:15
Updated : 2024-10-02 16:50
NVD link : CVE-2024-8349
Mitre link : CVE-2024-8349
CVE.ORG link : CVE-2024-8349
JSON object : View
Products Affected
uncannyowl
- uncanny_groups_for_learndash
CWE
CWE-862
Missing Authorization