CVE-2024-5863 - OpenCVE

The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

No reference.

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-06-28T03:29:34.561Z

Updated: 2024-06-28T14:36:26.845Z

Reserved: 2024-06-11T14:01:32.884Z

Link: CVE-2024-5863

JSON object: View

NVD Information

No data.

Redhat Information

No data.

CWE

No CWE.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5863", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-06-11T14:01:32.884Z", "datePublished": "2024-06-28T03:29:34.561Z", "dateUpdated": "2024-06-28T14:36:26.845Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-28T03:29:34.561Z"}, "affected": [{"vendor": "brechtvds", "product": "Easy Image Collage", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.13.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts."}], "title": "Easy Image Collage <= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Data Clearance", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceeefc3f-1cb7-48df-9978-258f015d93c7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3106714/easy-image-collage/tags/1.13.6/helpers/ajax.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-06-27T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-28T14:34:18.378616Z", "id": "CVE-2024-5863", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-28T14:36:26.845Z"}}]}}