THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-3602

Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer <= 1.1.0 - Missing Authorization

Assigner:Wordfence
Reserved:2024-04-10
Published:2024-06-20
Updated:2024-06-20

Description

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection.



MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

*
affected

Timeline

2024-06-19:Disclosed

Credits

Lucio Sá finder

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/05b051bc-3b1c-412e-b3d0-98ff2c8bc06e?source=cve

https://plugins.trac.wordpress.org/browser/promolayer-popup-builder/trunk/admin/class-promolayer-admin.php#L208

cve.org CVE-2024-3602

nvd.nist.gov CVE-2024-3602

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-3602
Find us on
Data Privacy
Terms of Use
Logo Silicon Valley Europe
Logo BSI Allianz für Cyber-Sicherheit