CVE-2024-5324

Summary

Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.

Affected Software

VendorProductVersion RangeStatus
xootixWaitlist Woocommerce ( Back in stock notifier )0 <= 2.6affected
xootixOTP Login & Register Woocommerce0 <= 2.6.1affected
xootixSide Cart WoocommerceWoocommerce Cart2.5
xootixLogin & Register Customizer – PopupSliderInline

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References