Search criteria
3 vulnerabilities found for sparkle_demo_importer by wpneuron
FKIE_CVE-2024-6120
Vulnerability from fkie_nvd - Published: 2024-06-22 00:15 - Updated: 2024-11-21 09:49
Severity ?
Summary
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpneuron | sparkle_demo_importer | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpneuron:sparkle_demo_importer:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "564B65B3-F58C-4F74-B7FF-5BC0FDFE5EAF",
"versionEndExcluding": "1.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins."
},
{
"lang": "es",
"value": "El complemento Sparkle Demo Importer para WordPress es vulnerable al restablecimiento no autorizado de la base de datos y a la importaci\u00f3n de datos de demostraci\u00f3n debido a una falta de verificaci\u00f3n de capacidad en las m\u00faltiples funciones en todas las versiones hasta la 1.4.7 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todas las publicaciones, p\u00e1ginas y archivos cargados, as\u00ed como tambi\u00e9n descarguen e instalen un conjunto limitado de complementos de demostraci\u00f3n."
}
],
"id": "CVE-2024-6120",
"lastModified": "2024-11-21T09:49:00.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@wordfence.com",
"type": "Secondary"
}
]
},
"published": "2024-06-22T00:15:09.690",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-6120 (GCVE-0-2024-6120)
Vulnerability from cvelistv5 – Published: 2024-06-21 23:33 – Updated: 2024-08-01 21:33
VLAI?
Title
Sparkle Demo Importer <= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import
Summary
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
Severity ?
6.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sparklewpthemes | Sparkle Demo Importer |
Affected:
* , ≤ 1.4.7
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-06T03:09:35.333336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-06T03:10:11.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:04.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sparkle Demo Importer",
"vendor": "sparklewpthemes",
"versions": [
{
"lessThanOrEqual": "1.4.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T23:33:48.423Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-30T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-21T11:04:07.000+00:00",
"value": "Disclosed"
}
],
"title": "Sparkle Demo Importer \u003c= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6120",
"datePublished": "2024-06-21T23:33:48.423Z",
"dateReserved": "2024-06-18T11:26:18.203Z",
"dateUpdated": "2024-08-01T21:33:04.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6120 (GCVE-0-2024-6120)
Vulnerability from nvd – Published: 2024-06-21 23:33 – Updated: 2024-08-01 21:33
VLAI?
Title
Sparkle Demo Importer <= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import
Summary
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sparklewpthemes | Sparkle Demo Importer |
Affected:
* , ≤ 1.4.7
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-06T03:09:35.333336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-06T03:10:11.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:04.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sparkle Demo Importer",
"vendor": "sparklewpthemes",
"versions": [
{
"lessThanOrEqual": "1.4.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T23:33:48.423Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-30T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-21T11:04:07.000+00:00",
"value": "Disclosed"
}
],
"title": "Sparkle Demo Importer \u003c= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6120",
"datePublished": "2024-06-21T23:33:48.423Z",
"dateReserved": "2024-06-18T11:26:18.203Z",
"dateUpdated": "2024-08-01T21:33:04.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}