WordPress WP Datepicker plugin <= 2.1.1 - Broken Access Control vulnerability
CVE-2024-47321

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WP Datepicker
Vendor: CVE Published:; 1 November 2024

Summary

A notable vulnerability exists within the WP Datepicker plugin by Fahad Mahmood, stemming from inadequate Access Control Lists (ACLs). This flaw allows unauthorized access to functionalities that are not properly restricted, potentially exposing sensitive operations within the plugin. The vulnerability impacts all versions of WP Datepicker up to 2.1.1. Users utilizing this plugin are recommended to assess their exposure and apply necessary security measures to mitigate risks associated with this access control issue.

Affected Version(s)

WP Datepicker <= 2.1.1

References

https://patchstack.com/database/vulnerability/wp-datepick...

vdb-entry

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 1, 2024
Vulnerability Reserved
Sep 24, 2024

Credit

Mika (Patchstack Alliance)