Missing Authorization in Evergreen Content Poster Plugin by User Growth - CVE-2024-12071
Published: January 31, 2025
Vulnerability identifier: #VU103483
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-12071
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: User Growth
Affected software:
Evergreen Content Poster Plugin by User Growth
Evergreen Content Poster Plugin by User Growth
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to a missing capability check on the delete_network_post() function. A remote attacker can delete arbitrary posts and pages.
How to mitigate CVE-2024-12071
Install updates from vendor's website.
Sources
- https://plugins.trac.wordpress.org/browser/evergreen-content-poster/trunk/admin/class-evergreen_content_poster-admin.php#L333
- https://plugins.trac.wordpress.org/browser/evergreen-content-poster/trunk/includes/class-evergreen_content_poster.php#L345
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3224190%40evergreen-content-poster&new=3224190%40evergreen-content-poster&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/aa07f48f-370f-4985-a6fc-a94ed5c59ed4?source=cve