CVE-2024-3627

The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php	Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kraftplugins:wheel_of_life:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2024-06-20 02:15

Updated : 2024-07-15 17:12

NVD link : CVE-2024-3627

Mitre link : CVE-2024-3627

CVE.ORG link : CVE-2024-3627

JSON object : View

Products Affected

kraftplugins

wheel_of_life

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-3627", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2024-06-20T02:15:11.040", "references": [{"url": "https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings."}, {"lang": "es", "value": "El complemento Wheel of Life: Coaching and Assessment Tool for Life Coach para WordPress es vulnerable a modificaciones no autorizadas y p\u00e9rdida de datos debido a una falta de verificaci\u00f3n de capacidad en varias funciones en el archivo AjaxFunctions.php en todas las versiones hasta la 1.1.7 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen publicaciones arbitrarias y modifiquen configuraciones."}], "lastModified": "2024-07-15T17:12:17.763", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kraftplugins:wheel_of_life:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "8279D89F-46FA-490F-87D7-AF34D607BB3E", "versionEndIncluding": "1.1.7"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}

5.4 /10