CVE-2024-6120 (GCVE-0-2024-6120)
Vulnerability from cvelistv5 – Published: 2024-06-21 23:33 – Updated: 2024-08-01 21:33
VLAI?
Title
Sparkle Demo Importer <= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import
Summary
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
Severity ?
6.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sparklewpthemes | Sparkle Demo Importer |
Affected:
* , ≤ 1.4.7
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-06T03:09:35.333336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-06T03:10:11.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:04.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sparkle Demo Importer",
"vendor": "sparklewpthemes",
"versions": [
{
"lessThanOrEqual": "1.4.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T23:33:48.423Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-30T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-06-21T11:04:07.000+00:00",
"value": "Disclosed"
}
],
"title": "Sparkle Demo Importer \u003c= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6120",
"datePublished": "2024-06-21T23:33:48.423Z",
"dateReserved": "2024-06-18T11:26:18.203Z",
"dateUpdated": "2024-08-01T21:33:04.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:wpneuron:sparkle_demo_importer:*:*:*:*:*:wordpress:*:*\", \"versionEndExcluding\": \"1.4.8\", \"matchCriteriaId\": \"564B65B3-F58C-4F74-B7FF-5BC0FDFE5EAF\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.\"}, {\"lang\": \"es\", \"value\": \"El complemento Sparkle Demo Importer para WordPress es vulnerable al restablecimiento no autorizado de la base de datos y a la importaci\\u00f3n de datos de demostraci\\u00f3n debido a una falta de verificaci\\u00f3n de capacidad en las m\\u00faltiples funciones en todas las versiones hasta la 1.4.7 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todas las publicaciones, p\\u00e1ginas y archivos cargados, as\\u00ed como tambi\\u00e9n descarguen e instalen un conjunto limitado de complementos de demostraci\\u00f3n.\"}]",
"id": "CVE-2024-6120",
"lastModified": "2024-11-21T09:49:00.237",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@wordfence.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2024-06-22T00:15:09.690",
"references": "[{\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve\", \"source\": \"security@wordfence.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-6120\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2024-06-22T00:15:09.690\",\"lastModified\":\"2024-11-21T09:49:00.237\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.\"},{\"lang\":\"es\",\"value\":\"El complemento Sparkle Demo Importer para WordPress es vulnerable al restablecimiento no autorizado de la base de datos y a la importaci\u00f3n de datos de demostraci\u00f3n debido a una falta de verificaci\u00f3n de capacidad en las m\u00faltiples funciones en todas las versiones hasta la 1.4.7 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todas las publicaciones, p\u00e1ginas y archivos cargados, as\u00ed como tambi\u00e9n descarguen e instalen un conjunto limitado de complementos de demostraci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wpneuron:sparkle_demo_importer:*:*:*:*:*:wordpress:*:*\",\"versionEndExcluding\":\"1.4.8\",\"matchCriteriaId\":\"564B65B3-F58C-4F74-B7FF-5BC0FDFE5EAF\"}]}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve\",\"source\":\"security@wordfence.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:33:04.910Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6120\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-06T03:09:35.333336Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-06T03:09:37.215Z\"}}], \"cna\": {\"title\": \"Sparkle Demo Importer \u003c= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Lucio S\\u00e1\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\"}}], \"affected\": [{\"vendor\": \"sparklewpthemes\", \"product\": \"Sparkle Demo Importer\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.4.7\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-05-30T00:00:00.000+00:00\", \"value\": \"Discovered\"}, {\"lang\": \"en\", \"time\": \"2024-06-21T11:04:07.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/8f411d17-5b0d-4a4a-afa8-7efebf6965f2?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L446\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L469\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L497\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L519\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L595\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L570\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L627\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/sparkle-demo-importer/tags/1.4.7/sparkle-demo-importer.php#L541\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2024-06-21T23:33:48.423Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-6120\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:33:04.910Z\", \"dateReserved\": \"2024-06-18T11:26:18.203Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2024-06-21T23:33:48.423Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…