Authorization Bypass in WPML Plugin for WordPress
CVE-2015-2792

Currently unrated

Key Information:

Vendor: Wordpress
Status: WPml
Vendor: CVE Published:; 30 March 2015

Summary

The WPML plugin for WordPress, prior to version 3.1.9, contains a vulnerability that inadequately manages multiple actions in a single request. This flaw can be exploited by remote attackers to bypass nonce validation checks, potentially allowing unauthorized actions to be executed through crafted POST and GET requests. The risk arises when a valid nonce is combined with specific action parameters, leading to potential misuse of the plugin's functionalities.

References

http://klikki.fi/adv/wpml.html

x_refsource_MISC

http://wpml.org/2015/03/wpml-security-update-bug-and-fix/

x_refsource_CONFIRM

http://seclists.org/fulldisclosure/2015/Mar/79

mailing-listx_refsource_FULLDISC

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Mar 30, 2015