Unauthorized Data Modification in WP Datepicker Plugin for WordPress
CVE-2024-3895

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WP Datepicker
Vendor: CVE Published:; 2 May 2024

Badges

📰 News Worthy

Summary

The WP Datepicker plugin for WordPress is susceptible to an unauthorized modification of data due to a lack of proper capability checks in the wpdp_add_new_datepicker_ajax() function, affecting all versions up to and including 2.1.0. This vulnerability allows authenticated users with subscriber-level access and above to make unauthorized changes to arbitrary options, potentially leading to privilege escalation. Although a partial patch was implemented in versions 2.0.9 and 2.1.0, the issue was fully resolved in version 2.1.1, highlighting the importance of maintaining updated plugins to mitigate security risks.

Affected Version(s)

WP Datepicker * <= 2.1.0

News Articles

CybersecurityNews

CVE-2024-3895

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting more than 10,000 active installations.

9 months ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3073525/wp-d...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2024
📰
First article discovered by CybersecurityNews
Apr 24, 2024
Vulnerability Reserved
Apr 16, 2024

Credit

Lucio Sá

Key Information:

Badges

Summary

Affected Version(s)

Get notified when SecurityVulnerability.io launches alerting 🔔

News Articles

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

References

CVSS V3.1

Timeline

Credit