Unauthorized Data Modification Vulnerability in SV100 Companion Plugin for WordPress
CVE-2024-12155

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Sv100 Companion
Vendor: CVE Published:; 6 December 2024

Summary

The SV100 Companion plugin for WordPress presents a vulnerability that allows unauthenticated attackers to manipulate site configurations. This is due to a lack of capability checks in the settings_import() function, present in all versions up to and including 2.0.02. As a result, attackers can change various default options, including elevating the registration role to administrator, thereby granting themselves extensive control over the WordPress site. This vulnerability represents a significant security risk, enabling unauthorized user registration and potentially disastrous outcomes for the affected site.

Affected Version(s)

SV100 Companion * <= 2.0.02

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/sv100-companio...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 6, 2024
Vulnerability Reserved
Dec 4, 2024

Credit

Lucio Sá