WordPress Plum: Spin Wheel & Email Pop-up plugin <= 2.0 - Broken Access Control to Unauth Stored XSS vulnerability
CVE-2024-38744

8.3HIGH

Key Information:

Vendor: WordPress
Status: Plum: Spin Wheel & Email Pop-up
Vendor: CVE Published:; 1 November 2024

What is CVE-2024-38744?

The Upqode Plum: Spin Wheel & Email Pop-up experiences a critical issue where missing authorization checks allow unauthorized users to access certain functionalities. This vulnerability also exposes the application to stored cross-site scripting (XSS) attacks, compromising user data and interaction integrity. The affected versions of this plugin range from an unspecified version up to 2.0, necessitating immediate attention and remediation for users to safeguard their data and maintain overall security.

Affected Version(s)

Plum: Spin Wheel & Email Pop-up <= 2.0

References

https://patchstack.com/database/vulnerability/qodeblock/w...

vdb-entry

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2024
Vulnerability Reserved
Jun 19, 2024

Credit

Ananda Dhakal (Patchstack)