CVE-2024-6709 - Vulnerability Details - OpenCVE

The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00115.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Syncpostwithothersite	Sync Post With Other Site

Configuration 1 [-]

cpe:2.3:a:syncpostwithothersite:sync_post_with_other_site:*:*:*:*:*:wordpress:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/sync-post-with-other-site/trunk/includes/sps_sync.class.php#L231
https://plugins.trac.wordpress.org/changeset/3128945/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3d97eee1-0f72-4dd3-998a-acb454fa5e8a?source=cve

History

Sat, 01 Mar 2025 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Syncpostwithothersite Syncpostwithothersite sync Post With Other Site
CPEs		cpe:2.3:a:syncpostwithothersite:sync_post_with_other_site::::::wordpress::*
Vendors & Products		Syncpostwithothersite Syncpostwithothersite sync Post With Other Site

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-08-03T11:37:37.807Z

Updated: 2024-08-05T19:44:02.179Z

Reserved: 2024-07-11T22:49:40.823Z

Link: CVE-2024-6709

Vulnrichment

Updated: 2024-08-05T19:43:56.839Z

NVD

Status : Analyzed

Published: 2024-08-03T12:15:16.943

Modified: 2025-03-01T01:20:09.943

Link: CVE-2024-6709

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6709", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-07-11T22:49:40.823Z", "datePublished": "2024-08-03T11:37:37.807Z", "dateUpdated": "2024-08-05T19:44:02.179Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-08-03T11:37:37.807Z"}, "affected": [{"vendor": "kp4coder", "product": "Sync Post With Other Site", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts."}], "title": "Sync Post With Other Site <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Post Creation and Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d97eee1-0f72-4dd3-998a-acb454fa5e8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sync-post-with-other-site/trunk/includes/sps_sync.class.php#L231"}, {"url": "https://plugins.trac.wordpress.org/changeset/3128945/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-08-02T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T19:41:11.239444Z", "id": "CVE-2024-6709", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T19:44:02.179Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6709", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T19:41:11.239444Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T19:43:56.839Z"}}], "cna": {"title": "Sync Post With Other Site <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Post Creation and Update", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "kp4coder", "product": "Sync Post With Other Site", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-08-02T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d97eee1-0f72-4dd3-998a-acb454fa5e8a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sync-post-with-other-site/trunk/includes/sps_sync.class.php#L231"}, {"url": "https://plugins.trac.wordpress.org/changeset/3128945/"}], "descriptions": [{"lang": "en", "value": "The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-08-03T11:37:37.807Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6709", "state": "PUBLISHED", "dateUpdated": "2024-08-05T19:44:02.179Z", "dateReserved": "2024-07-11T22:49:40.823Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-08-03T11:37:37.807Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:syncpostwithothersite:sync_post_with_other_site:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5A950A31-0EAA-4F9E-9DDF-A5AEA5A0E947", "versionEndExcluding": "1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts."}, {"lang": "es", "value": "El complemento Sync Post With Other Site para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'sps_add_update_post' en todas las versiones hasta la 1.6 incluida. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, creen nuevos borradores de publicaciones y actualicen las publicaciones existentes."}], "id": "CVE-2024-6709", "lastModified": "2025-03-01T01:20:09.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2024-08-03T12:15:16.943", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/sync-post-with-other-site/trunk/includes/sps_sync.class.php#L231"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3128945/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d97eee1-0f72-4dd3-998a-acb454fa5e8a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}