Privilege Escalation Vulnerability in FundEngine WordPress Plugin
CVE-2024-6698

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Fundengine – Donation And Crowdfunding Platform
Vendor: CVE Published:; 1 August 2024

Summary

The FundEngine plugin for WordPress is susceptible to a privilege escalation vulnerability due to inadequate verification of user metadata. This flaw affects all versions up to and including 1.7.0, allowing authenticated attackers possessing subscriber-level access or higher to manipulate their user meta. By exploiting this vulnerability, attackers can enhance their capabilities, potentially gaining unauthorized administrator-level access to the WordPress site. It is critical for users of the FundEngine plugin to ensure they implement immediate measures to mitigate the risks associated with this vulnerability.

Affected Version(s)

FundEngine – Donation and Crowdfunding Platform * <= 1.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 1, 2024
Vulnerability Reserved
Jul 11, 2024

Credit

Thanh Nam Tran