WP Plugin Elespare <=2.1.2 Auth Post Creation Loophole
CVE-2024-0900 Published on April 23, 2024
Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! <= 2.1.2 - Missing Authorization to Subscriber+ Arbitrary Post Creation
The Elespare Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! plugin for WordPress is vulnerable to unauthorized post creation due to a missing capability check on the elespare_create_post() function hooked via AJAX in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary posts.
Timeline
Disclosed
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-0900 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-0900
Want to know whenever a new CVE is published for WordPress Elespare? stack.watch will email you.
Affected Versions
EleSpare – News, Magazine and Blog Addons for Elementor:- Before and including 2.1.2 is affected.
- Version 2.1.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.