Unauthorized Modification of License Key in If Menu Plugin
CVE-2024-7894

5.3MEDIUM

Key Information:

Vendor: Wordpress
Vendor: CVE Published:; 7 December 2024

What is CVE-2024-7894?

The If Menu plugin for WordPress contains a vulnerability that allows unauthorized modification of the plugin's license key. This is due to the absence of a capability check in the plugin's 'actions' function, making versions up to and including 0.19.1 susceptible to exploitation by unauthenticated attackers. The potential for attackers to modify or delete the license key poses significant risks for WordPress users, as it could lead to unauthorized access and manipulation of plugin capabilities.

References

https://plugins.trac.wordpress.org/browser/if-menu/trunk/...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

https://www.wordfence.com/threat-intel/vulnerabilities/id...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 7, 2024

Wordpress

What is CVE-2024-7894?

References

CVSS V3.1

Timeline