Unauthorized Update of Plugin Settings Due to Missing Capability Check
CVE-2024-3602
4.3MEDIUM
Key Information
- Vendor
- Promolayerpopupbuilder
- Status
- Pop Ups, Exit Intent Popups, Email Popups, Banners, Bars, Countdowns And Cart Savers – Promolayer
- Vendor
- Published:
- 20 June 2024
Summary
The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection.
Affected Version(s)
Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer <= 1.1.0
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Timeline
Vulnerability published.
Disclosed
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database
Credit
Lucio Sá