A vulnerability, which was classified as critical, has been found in brandonwamboldt Access Control Plugin up to 4.0.13 on WordPress (WordPress Plugin). Affected by this issue is an unknown code of the component REST API. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Impacted is confidentiality. CVE summarizes:

The WordPress Access Control plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.13 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Make Website Members Only" feature (when unset) and view restricted page and post content.

The weakness was presented 02/28/2024 by Francesco Carlucci. The advisory is available at wordfence.com. This vulnerability is handled as CVE-2024-0975 since 01/26/2024. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 02/28/2024). This vulnerability is assigned to T1068 by the MITRE ATT&CK project.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

See VDB-254511, VDB-255095, VDB-255667 and VDB-256812 for similar entries.

Productinfo

Type

• WordPress Plugin

Vendor

• brandonwamboldt

Name

• Access Control Plugin

Version

• 4.0.0
• 4.0.1
• 4.0.2
• 4.0.3
• 4.0.4
• 4.0.5
• 4.0.6
• 4.0.7
• 4.0.8
• 4.0.9
• 4.0.10
• 4.0.11
• 4.0.12
• 4.0.13

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion