CVE-2024-11844: IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion

4.3 CVSS

Description

The IdeaPush plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the idea_push_taxonomy_save_routine function in all versions up to, and including, 8.71. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete terms for the "boards" taxonomy.

Classification

CVE ID: CVE-2024-11844

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: northernbeacheswebsites

Product: IdeaPush

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 24.01% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/34603c3f-834f-4a2a-9b9f-5213155d4317?source=cve
https://plugins.trac.wordpress.org/browser/ideapush/trunk/ideapush.php#L766
https://plugins.trac.wordpress.org/changeset/3198488/ideapush/trunk/ideapush.php

Timeline

2024-12-04 00:11:22 UTC
CVE

IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion