CVE-2024-8349

The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group leader-level access and above, to change admin account email addresses which can subsequently lead to admin account access.
Configurations

Configuration 1 (hide)

cpe:2.3:a:uncannyowl:uncanny_groups_for_learndash:*:*:*:*:*:wordpress:*:*

History

02 Oct 2024, 16:50

Type Values Removed Values Added
CPE cpe:2.3:a:uncannyowl:uncanny_groups_for_learndash:*:*:*:*:*:wordpress:*:*
First Time Uncannyowl uncanny Groups For Learndash
Uncannyowl
References () https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350 - () https://github.com/karlemilnikka/CVE-2024-8349-and-CVE-2024-8350 - Third Party Advisory
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/64cf0ae2-8d66-40d1-8bb6-0cab1dafab0d?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/64cf0ae2-8d66-40d1-8bb6-0cab1dafab0d?source=cve - Third Party Advisory

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) El complemento Uncanny Groups for LearnDash para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 6.1.0.1 incluida. Esto se debe a que el complemento no restringe adecuadamente los usuarios que un líder de grupo puede editar. Esto hace posible que los atacantes autenticados, con acceso de nivel de líder de grupo y superior, cambien las direcciones de correo electrónico de las cuentas de administrador, lo que posteriormente puede dar lugar al acceso a las cuentas de administrador.

25 Sep 2024, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-25 03:15

Updated : 2024-10-02 16:50


NVD link : CVE-2024-8349

Mitre link : CVE-2024-8349

CVE.ORG link : CVE-2024-8349


JSON object : View

Products Affected

uncannyowl

  • uncanny_groups_for_learndash
CWE
CWE-862

Missing Authorization