Search criteria
2 vulnerabilities found for IgnitionDeck Crowdfunding Platform by ignitionwp
CVE-2024-4410 (GCVE-0-2024-4410)
Vulnerability from nvd – Published: 2024-07-27 01:51 – Updated: 2024-08-01 20:40
VLAI?
Title
IgnitionDeck Crowdfunding Platform <= 1.9.8 - Missing Authorization
Summary
The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ignitionwp | IgnitionDeck Crowdfunding Platform |
Affected:
* , ≤ 1.9.8
(semver)
|
Credits
Marco Wotschka
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T14:34:38.452804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:16:56.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b6aad4-fbaf-4c0c-b2b7-6e264a1afb9b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L186"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L1162"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IgnitionDeck Crowdfunding Platform",
"vendor": "ignitionwp",
"versions": [
{
"lessThanOrEqual": "1.9.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-27T01:51:00.925Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b6aad4-fbaf-4c0c-b2b7-6e264a1afb9b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L1162"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-26T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "IgnitionDeck Crowdfunding Platform \u003c= 1.9.8 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4410",
"datePublished": "2024-07-27T01:51:00.925Z",
"dateReserved": "2024-05-02T08:14:43.035Z",
"dateUpdated": "2024-08-01T20:40:47.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4410 (GCVE-0-2024-4410)
Vulnerability from cvelistv5 – Published: 2024-07-27 01:51 – Updated: 2024-08-01 20:40
VLAI?
Title
IgnitionDeck Crowdfunding Platform <= 1.9.8 - Missing Authorization
Summary
The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ignitionwp | IgnitionDeck Crowdfunding Platform |
Affected:
* , ≤ 1.9.8
(semver)
|
Credits
Marco Wotschka
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4410",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T14:34:38.452804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T16:16:56.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:40:47.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b6aad4-fbaf-4c0c-b2b7-6e264a1afb9b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L186"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L1162"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IgnitionDeck Crowdfunding Platform",
"vendor": "ignitionwp",
"versions": [
{
"lessThanOrEqual": "1.9.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-27T01:51:00.925Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/07b6aad4-fbaf-4c0c-b2b7-6e264a1afb9b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ignitiondeck/trunk/classes/class-idf-wizard.php#L1162"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-26T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "IgnitionDeck Crowdfunding Platform \u003c= 1.9.8 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4410",
"datePublished": "2024-07-27T01:51:00.925Z",
"dateReserved": "2024-05-02T08:14:43.035Z",
"dateUpdated": "2024-08-01T20:40:47.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}