CVE-2024-3627 - OpenCVE

The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Kraftplugins	Wheel Of Life

Configuration 1 [-]

cpe:2.3:a:kraftplugins:wheel_of_life:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve

History

No history.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-06-20T02:08:19.919Z

Updated: 2024-08-01T20:20:01.043Z

Reserved: 2024-04-10T18:39:05.228Z

Link: CVE-2024-3627

Vulnrichment

Updated: 2024-08-01T20:20:01.043Z

NVD

Status : Analyzed

Published: 2024-06-20T02:15:11.040

Modified: 2024-07-15T17:12:17.763

Link: CVE-2024-3627

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3627", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-04-10T18:39:05.228Z", "datePublished": "2024-06-20T02:08:19.919Z", "dateUpdated": "2024-08-01T20:20:01.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-20T02:08:19.919Z"}, "affected": [{"vendor": "kraftplugins", "product": "Wheel of Life: Coaching and Assessment Tool for Life Coach", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings."}], "title": "Wheel of Life: Coaching and Assessment Tool for Life Coach <= 1.1.7 - Missing Authorization on Several AJAX Endpoints", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-06-19T12:15:38.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-20T13:44:58.942131Z", "id": "CVE-2024-3627", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T13:45:08.624Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.043Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.043Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3627", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-20T13:44:58.942131Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-20T13:45:05.226Z"}}], "cna": {"title": "Wheel of Life: Coaching and Assessment Tool for Life Coach <= 1.1.7 - Missing Authorization on Several AJAX Endpoints", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "kraftplugins", "product": "Wheel of Life: Coaching and Assessment Tool for Life Coach", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-06-19T12:15:38.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php"}], "descriptions": [{"lang": "en", "value": "The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-20T02:08:19.919Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3627", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:20:01.043Z", "dateReserved": "2024-04-10T18:39:05.228Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-06-20T02:08:19.919Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kraftplugins:wheel_of_life:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8279D89F-46FA-490F-87D7-AF34D607BB3E", "versionEndIncluding": "1.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings."}, {"lang": "es", "value": "El complemento Wheel of Life: Coaching and Assessment Tool for Life Coach para WordPress es vulnerable a modificaciones no autorizadas y p\u00e9rdida de datos debido a una falta de verificaci\u00f3n de capacidad en varias funciones en el archivo AjaxFunctions.php en todas las versiones hasta la 1.1.7 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen publicaciones arbitrarias y modifiquen configuraciones."}], "id": "CVE-2024-3627", "lastModified": "2024-07-15T17:12:17.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2024-06-20T02:15:11.040", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wheel-of-life/trunk/includes/functions/AjaxFunctions.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0615d1be-f9fa-45b3-9d5b-3ad1f36be8e1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}