Google Drive Vulnerable to Data Modification and Loss Due to Missing Capability Check
CVE-2024-2086

10CRITICAL

Key Information:

Vendor
Wordpress
Status
Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, And Manage Your Google Drive Files Into Your WordPress Site
Vendor
CVE Published:
30 March 2024

Badges

πŸ‘Ύ Exploit Exists

Summary

The Integrate Google Drive plugin for WordPress is susceptible to security weaknesses resulting from a lack of proper capability checks on several AJAX endpoints. This vulnerability affects all versions up to and including 1.3.8, allowing authenticated attackers to gain unauthorized access to sensitive data and modify plugin configurations. Furthermore, the flaw enables full read, write, and delete capabilities on Google Drive files associated with the plugin, posing significant risks to data integrity and confidentiality.

Affected Version(s)

Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files into Your WordPress Site * <= 1.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/3051452/inte...

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Krzysztof ZajΔ…c
.