CVE-2024-8552

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpchill:download_monitor:*:*:*:*:*:wordpress:*:*

History

02 Oct 2024, 17:00

Type Values Removed Values Added
First Time Wpchill
Wpchill download Monitor
CPE cpe:2.3:a:wpchill:download_monitor:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.8/src/AjaxHandler.php#L317 - () https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.8/src/AjaxHandler.php#L317 - Product
References () https://plugins.trac.wordpress.org/changeset/3157424/#file17 - () https://plugins.trac.wordpress.org/changeset/3157424/#file17 - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/3acaedff-f616-4b66-9208-f7e6a4df920d?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/3acaedff-f616-4b66-9208-f7e6a4df920d?source=cve - Third Party Advisory

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) El complemento Download Monitor para WordPress es vulnerable a la modificación no autorizada de datos debido a una verificación de capacidad faltante en la función enable_shop() en todas las versiones hasta la 5.0.9 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, habiliten la funcionalidad de la tienda.

26 Sep 2024, 03:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-26 03:15

Updated : 2024-10-02 17:00


NVD link : CVE-2024-8552

Mitre link : CVE-2024-8552

CVE.ORG link : CVE-2024-8552


JSON object : View

Products Affected

wpchill

  • download_monitor
CWE
CWE-862

Missing Authorization