Google Drive Vulnerable to Data Modification and Loss Due to Missing Capability Check
CVE-2024-2086

10CRITICAL

Key Information:

Vendor: WordPress
Status: File Manager For Google Drive – Integrate Google Drive
Vendor: CVE Published:; 30 March 2024

Badges

👾 Exploit Exists

What is CVE-2024-2086?

The Integrate Google Drive plugin for WordPress is susceptible to security weaknesses resulting from a lack of proper capability checks on several AJAX endpoints. This vulnerability affects all versions up to and including 1.3.8, allowing authenticated attackers to gain unauthorized access to sensitive data and modify plugin configurations. Furthermore, the flaw enables full read, write, and delete capabilities on Google Drive files associated with the plugin, posing significant risks to data integrity and confidentiality.

Affected Version(s)

File Manager for Google Drive – Integrate Google Drive 0 <= 1.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3051452/inte...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 30, 2024
👾
Exploit known to exist
Mar 30, 2024
Vulnerability published
Mar 30, 2024
Vulnerability Reserved
Mar 1, 2024

Credit

Krzysztof Zając

CVE-2024-2086 Data

JSON