CVE-2024-9265

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echo_check_post_header_sent() function. This makes it possible for unauthenticated attackers to register as an administrator.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/c099f401-4b05-4532-8e31-af1b1dea7eca?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:coderevolution:echo_rss_feed_post_generator:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2024-10-01 09:15

Updated : 2024-10-07 18:48

NVD link : CVE-2024-9265

Mitre link : CVE-2024-9265

CVE.ORG link : CVE-2024-9265

JSON object : View

Products Affected

coderevolution

echo_rss_feed_post_generator

CWE

CWE-269

Improper Privilege Management

NVD-CWE-noinfo

{"id": "CVE-2024-9265", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-10-01T09:15:08.810", "references": [{"url": "https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c099f401-4b05-4532-8e31-af1b1dea7eca?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echo_check_post_header_sent() function. This makes it possible for unauthenticated attackers to register as an administrator."}, {"lang": "es", "value": "El complemento Echo RSS Feed Post Generator para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 5.4.6 incluida. Esto se debe a que el complemento no restringe adecuadamente los roles que se pueden establecer durante el registro a trav\u00e9s de la funci\u00f3n echo_check_post_header_sent(). Esto hace posible que atacantes no autenticados se registren como administradores."}], "lastModified": "2024-10-07T18:48:15.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:coderevolution:echo_rss_feed_post_generator:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "F5F16CC5-8B71-4EC8-9F5E-60F7480844CC", "versionEndExcluding": "5.4.7"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}