CVE-2024-11496

The Infility Global plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the infility_global_ajax function in all versions up to, and including, 2.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options and potentially break the site.
Configurations

Configuration 1 (hide)

cpe:2.3:a:infility:infility_global:*:*:*:*:*:wordpress:*:*

History

05 Jun 2025, 15:41

Type Values Removed Values Added
Summary
  • (es) El complemento Infility Global para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función infility_global_ajax en todas las versiones hasta la 2.9.8 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor o superior, actualicen las opciones del complemento y potencialmente dañen el sitio.
First Time Infility infility Global
Infility
CPE cpe:2.3:a:infility:infility_global:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/action.class.php#L80 - () https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/action.class.php#L80 - Product
References () https://plugins.trac.wordpress.org/browser/infility-global/trunk/infility_global.php#L121 - () https://plugins.trac.wordpress.org/browser/infility-global/trunk/infility_global.php#L121 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d0fd1c19-b752-4562-9365-165d709b91b2?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/d0fd1c19-b752-4562-9365-165d709b91b2?source=cve - Third Party Advisory

07 Jan 2025, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-01-07 05:15

Updated : 2025-06-05 15:41


NVD link : CVE-2024-11496

Mitre link : CVE-2024-11496

CVE.ORG link : CVE-2024-11496


JSON object : View

Products Affected

infility

  • infility_global
CWE
CWE-862

Missing Authorization