← Back

CVE-2024-5324

nvd nist
Published: Jun 6, 2024Modified: Apr 8, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: security@wordfence.com (Secondary)

Description

Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Affected (5)

Xootix
4 products
Login/signup Popup
Otp Login Woocommerce & Gravity Forms
Side Cart Woocommerce
Waitlist Woocommerce
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Xootix
Login/signup Popup
Version 2.7.1
Login/signup Popup
Version 2.7.2
Otp Login Woocommerce & Gravity Forms
Before 2.6.2
Side Cart Woocommerce
Version 2.5
Waitlist Woocommerce
Before 2.6.1

Related CWEs

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (10)

Source: security@wordfence.com
Patch
Source: security@wordfence.com
Source: security@wordfence.com
Patch
Source: security@wordfence.com
Source: security@wordfence.com
Source: security@wordfence.com
Source: security@wordfence.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.