CVE-2024-12266

Description

The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elex_dp_export_rules() and elex_dp_import_rules() functions in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to import and export product rules along with obtaining phpinfo() data

PUBLISHED Reserved 2024-12-05 | Published 2024-12-24 | Updated 2024-12-24 | Assigner Wordfence

Problem types

CWE-862 Missing Authorization

Product status

Timeline

Credits

Fariq Fadillah Gusti Insani finder

References

www.wordfence.com/...-2a35-40aa-a002-ea55da778222?source=cve

plugins.trac.wordpress.org/.../2.1.7/admin/elex-exporter.php

plugins.trac.wordpress.org/.../2.1.7/admin/elex-importer.php

plugins.trac.wordpress.org/...iscounts&sfp_email=&sfph_mail=

plugins.trac.wordpress.org/...iscounts&sfp_email=&sfph_mail=

cve.org (CVE-2024-12266)

nvd.nist.gov (CVE-2024-12266)

Download JSON