CVE-2024-11911: WP Crowdfunding <= 2.1.12 - Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation

4.3 CVSS

Description

The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_woocommerce_plugin() function action in all versions up to, and including, 2.1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install WooCommerce. This has a limited impact on most sites because WooCommerce is a requirement.

Classification

CVE ID: CVE-2024-11911

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: themeum

Product: WP Crowdfunding

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.21% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/972be091-64c4-4cb7-9563-70249c0db157?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3206336%40wp-crowdfunding%2Ftrunk&old=3174230%40wp-crowdfunding%2Ftrunk&sfp_email=&sfph_mail=

Timeline

2024-12-14 00:30:19 UTC
CVE

WP Crowdfunding <= 2.1.12 - Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation