Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update
CVE-2024-7621

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Visual Website Collaboration, Feedback & Project Management – Atarim
Vendor
CVE Published:
12 August 2024

Summary

The Atarim Visual Website Collaboration plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check in the process_wpfeedback_misc_options() function. This vulnerability affects all versions up to and including 4.0.2, enabling authenticated users with Subscriber-level access or higher to modify plugin settings. Attackers may exploit this weakness to manipulate the plugin's configuration, posing significant risks to the integrity of the site and its collaboration features. It is essential for users to update to the latest version and implement stringent access control measures to mitigate these risks.

Affected Version(s)

Visual Website Collaboration, Feedback & Project Management – Atarim * <= 4.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/atarim-visual-...
https://plugins.trac.wordpress.org/changeset/3133163/atar...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lucio Sá
.