Authorization Bypass in Mega Addons Plugin for WordPress
CVE-2022-4501

7.1HIGH

Key Information:

Vendor: Wordpress
Status: Mega Addons For WPbakery Page Builder
Vendor: CVE Published:; 14 December 2022

Summary

The Mega Addons plugin for WordPress has a vulnerability that allows authenticated users, including those with subscriber-level permissions, to bypass authorization checks. This occurs due to a missing capability verification in the vc_saving_data function, present in versions up to 4.2.7. By exploiting this flaw, attackers can modify critical plugin settings, potentially leading to unauthorized alterations of the site's configuration and functionality.

Affected Version(s)

Mega Addons For WPBakery Page Builder * <= 4.2.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mega-addons-fo...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 14, 2022
Vulnerability Reserved
Dec 14, 2022

Credit

Marco Wotschka