CVE-2024-0791 in WOLF Plugininfo

Summary

by MITRE • 02/06/2024

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions in all versions up to, and including, 1.0.8.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create, delete or modify taxonomy terms.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified in CVE-2024-0791 affects the WOLF WordPress plugin version 1.0.8.1 and earlier, representing a critical authorization flaw that undermines the security model of WordPress installations. This issue stems from insufficient capability checks within three core functions: wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term. The flaw allows authenticated users with subscriber-level privileges or higher to manipulate taxonomy terms within the WordPress environment, creating a significant risk for content integrity and system security. The vulnerability directly impacts the principle of least privilege by permitting users with minimal administrative rights to perform operations typically restricted to higher-level administrators.

The technical implementation of this vulnerability resides in the plugin's handling of AJAX requests for taxonomy term management operations. When users with subscriber access or higher make requests to these specific functions, the plugin fails to verify whether the authenticated user possesses the necessary permissions to perform the requested actions. This missing authorization check creates a path for privilege escalation through data manipulation, allowing attackers to alter or remove taxonomy terms that should be restricted to administrators or editors. The vulnerability is particularly concerning because taxonomy terms form the foundation of content organization and categorization within WordPress, making their unauthorized modification potentially devastating to site structure and content management.

The operational impact of this vulnerability extends beyond simple data modification, as it enables attackers to compromise the integrity of content organization systems and potentially disrupt site functionality. An attacker with subscriber access could create malicious taxonomy terms that might be used for phishing attacks, content redirection, or to manipulate site search results and user experience. The ability to delete taxonomy terms could result in broken links, lost categorization data, and disruption of content organization that could affect site performance and user engagement. Additionally, the vulnerability could be exploited as part of a broader attack chain, potentially leading to more severe compromises of the WordPress installation and underlying infrastructure.

From a cybersecurity perspective, this vulnerability aligns with CWE-863, which describes "Incorrect Authorization," and represents a clear violation of the principle of least privilege as outlined in the OWASP Top Ten. The attack vector requires only authenticated access, making it particularly dangerous as it can be exploited by insiders or compromised accounts with subscriber-level permissions. Mitigation strategies should include immediate plugin updates to versions that address the capability check deficiencies, implementation of role-based access controls, and monitoring of taxonomy term modifications for unauthorized activity. Organizations should also consider implementing additional security layers such as web application firewalls and regular security audits to detect and prevent exploitation of similar authorization flaws. The vulnerability demonstrates the critical importance of proper input validation and capability verification in plugin development, particularly for functions that manipulate core content structures within WordPress platforms.

Responsible

Wordfence

Reservation

01/22/2024

Disclosure

02/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00533

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!