CVE-2024-9860

The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' functions in versions up to, and including, 3.3. This makes it possible for authenticated attackers with subscriber-level permissions or above, to delete or change plugin settings, import demo data, and install limited plugins.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://themeforest.net/item/bridge-creative-multipurpose-wordpress-theme/7315054
https://www.wordfence.com/threat-intel/vulnerabilities/id/968d5d31-2592-4bed-9d18-5877f0d6062e?source=cve

Configurations

No configuration.

History

15 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) El complemento Bridge Core para WordPress es vulnerable a la modificación no autorizada de datos o a la pérdida de datos debido a la falta de una comprobación de capacidad en las funciones 'import_action' e 'install_plugin_per_demo' en versiones hasta la 3.3 incluida. Esto permite que atacantes autenticados con permisos de nivel de suscriptor o superior eliminen o cambien la configuración del complemento, importen datos de demostración e instalen complementos limitados.

12 Oct 2024, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-12 03:15

Updated : 2024-10-15 12:57

NVD link : CVE-2024-9860

Mitre link : CVE-2024-9860

CVE.ORG link : CVE-2024-9860

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

6.5 /10