The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend.
Metrics
Affected Vendors & Products
References
History
Fri, 06 Dec 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Alex Kirk
Alex Kirk friends |
|
CPEs | cpe:2.3:a:alex_kirk:friends:*:*:*:*:*:*:*:* | |
Vendors & Products |
Alex Kirk
Alex Kirk friends |
|
Metrics |
ssvc
|
Fri, 06 Dec 2024 08:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend. | |
Title | Friends <= 3.2.1 - Missing Authorization | |
Weaknesses | CWE-862 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-12-06T08:24:55.598Z
Updated: 2024-12-06T17:23:13.155Z
Reserved: 2024-12-02T15:04:16.202Z
Link: CVE-2024-12028
Vulnrichment
Updated: 2024-12-06T17:23:05.481Z
NVD
Status : Received
Published: 2024-12-06T09:15:07.957
Modified: 2024-12-06T09:15:07.957
Link: CVE-2024-12028
Redhat
No data.