CVE-2024-11916
Published: 08 January 2025
Description
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on several functions in all versions up to, and including, 3.0.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to import and activate arbitrary code snippets along with
Security Summary
CVE-2024-11916 affects the Ultimate WordPress Toolkit – WP Extended plugin for WordPress in all versions up to and including 3.0.11. The vulnerability stems from a missing capability check on several functions, enabling unauthorized modification and retrieval of data. It has a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L) and is associated with CWE-862 (Missing Authorization) and CWE-79 (Cross-Site Scripting).
Authenticated attackers with subscriber-level access or higher can exploit this issue over the network with low complexity and no user interaction required. Successful exploitation allows them to import and activate arbitrary code snippets, resulting in unauthorized data modification and retrieval, with potential impacts across confidentiality, integrity, and availability due to the changed scope.
Mitigation details are available in advisories from Wordfence and a corresponding patch in the WordPress plugin repository at the provided trac changeset reference. Security practitioners should update to a patched version beyond 3.0.11 and review access controls for low-privilege users on affected sites.
Details
- CWE(s)