CVE-2024-6698 Vulnerability Details

  /     /     /  

CVE-2024-6698 Metadata Quick Info

CVE Published: 01/08/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: Wordfence | Vendor: xpeedstudio | Product: FundEngine – Donation and Crowdfunding Platform
Status : PUBLISHED

---

CVE-2024-6698 Description

The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta which can be leveraged to update their capabilities to gain administrator access.

Metrics

CVSS Version: 3.1 | Base Score: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-862
CWE Name: CWE-862 Missing Authorization
Source: xpeedstudio

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).