Unauthorized Data Manipulation in WP Extended Plugin for WordPress
CVE-2024-11916

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: The Ultimate WordPress Toolkit – WP Extended
Vendor: CVE Published:; 8 January 2025

Summary

The WP Extended plugin for WordPress is susceptible to unauthorized modification and retrieval of sensitive data due to inadequate capability checks in its functions. This vulnerability can be exploited by authenticated users with subscriber-level or higher privileges, allowing them to import and execute arbitrary code snippets. As a result, attackers may gain access to restricted functionalities, threatening the integrity and security of the WordPress installation.

Affected Version(s)

The Ultimate WordPress Toolkit – WP Extended * <= 3.0.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 8, 2025
Vulnerability Reserved
Nov 27, 2024

Credit

Lucio Sá