CVE-2024-11154 - Vulnerability Details

CVE-2024-11154 - PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes <= 3.5.15 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.15 via the 'actAjaxRevisionDiffs' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including revisions of posts and pages.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Kevinb	Publishpress Revisions Duplicate Posts Submit Approve And Schedule Content Changes

No data.

References

Link	Providers
https://github.com/publishpress/PublishPress-Revisions/blob/master/admin/history_rvy.php#L322
https://plugins.trac.wordpress.org/browser/revisionary/trunk/admin/history_rvy.php#L322
https://plugins.trac.wordpress.org/changeset/3192492/
https://www.wordfence.com/threat-intel/vulnerabilities/id/c785b7a0-5091-4d89-87d3-cd7d9984553e?source=cve

History

Wed, 20 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kevinb Kevinb publishpress Revisions Duplicate Posts Submit Approve And Schedule Content Changes
CPEs		cpe:2.3:a:kevinb:publishpress_revisions_duplicate_posts_submit_approve_and_schedule_content_changes::::::::
Vendors & Products		Kevinb Kevinb publishpress Revisions Duplicate Posts Submit Approve And Schedule Content Changes
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 20 Nov 2024 14:00:00 +0000

Type	Values Removed	Values Added
Description		The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.15 via the 'actAjaxRevisionDiffs' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including revisions of posts and pages.
Title		PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes <= 3.5.15 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Weaknesses		CWE-862
References		https://github.com/publishpress/PublishPress-Revisions/blob/master/admin/history_rvy.php#L322 https://plugins.trac.wordpress.org/browser/revisionary/trunk/admin/history_rvy.php#L322 https://plugins.trac.wordpress.org/changeset/3192492/ https://www.wordfence.com/threat-intel/vulnerabilities/id/c785b7a0-5091-4d89-87d3-cd7d9984553e?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-11-20T13:55:13.662Z

Updated: 2024-11-20T14:36:45.683Z

Reserved: 2024-11-12T17:40:03.390Z

Link: CVE-2024-11154

Vulnrichment

Updated: 2024-11-20T14:36:31.829Z

NVD

Status : Awaiting Analysis

Published: 2024-11-20T14:15:17.500

Modified: 2024-11-21T13:57:24.187

Link: CVE-2024-11154

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object