CVE-2024-9065

The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and including, 4.6.1. This makes it possible for unauthenticated attackers to send emails containing any content and originating from the vulnerable WordPress instance to any recipient.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/wp-helper-lite/trunk/functions/class.wps-frontend-setup-function.php#L55	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f3c6d98-6f30-4a98-91c9-e77c1f960527?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:matbao:wp_helper_premium:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2024-10-10 02:15

Updated : 2024-10-15 14:14

NVD link : CVE-2024-9065

Mitre link : CVE-2024-9065

CVE.ORG link : CVE-2024-9065

JSON object : View

Products Affected

matbao

wp_helper_premium

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-9065", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-10-10T02:15:04.363", "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-helper-lite/trunk/functions/class.wps-frontend-setup-function.php#L55", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f3c6d98-6f30-4a98-91c9-e77c1f960527?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and including, 4.6.1. This makes it possible for unauthenticated attackers to send emails containing any content and originating from the vulnerable WordPress instance to any recipient."}, {"lang": "es", "value": "El complemento WP Helper Premium para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'whp_smtp_send_mail_test' en todas las versiones hasta la 4.6.1 incluida. Esto permite que atacantes no autenticados env\u00eden correos electr\u00f3nicos que contengan cualquier contenido y que se originen en la instancia vulnerable de WordPress a cualquier destinatario."}], "lastModified": "2024-10-15T14:14:18.590", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:matbao:wp_helper_premium:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "98AB41EA-79AD-4C99-86F2-B9E2F3188028", "versionEndIncluding": "4.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}