← Retour aux CVEs

CVE-2024-6000

HIGH

7.1

Description

The FooEvents for WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary file uploads due to an improper capability setting on the 'display_ticket_themes_page' function in versions up to, and including, 1.19.20. This makes it possible for authenticated attackers with contributor-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in 1.19.20, and fully patched in 1.19.21.

Details CVE

Score CVSS v3.17.1

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteHIGH

Privileges requisLOW

Interaction utilisateurREQUIRED

Publie6/15/2024

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

References

https://help.fooevents.com/docs/topics/changelogs/fooevents-for-woocommerce/(security@wordfence.com)

https://www.wordfence.com/threat-intel/vulnerabilities/id/1080810b-ec9a-44fb-b4da-49b28646a441?source=cve(security@wordfence.com)

https://help.fooevents.com/docs/topics/changelogs/fooevents-for-woocommerce/(af854a3a-2127-422b-91ae-364da2661108)

https://www.wordfence.com/threat-intel/vulnerabilities/id/1080810b-ec9a-44fb-b4da-49b28646a441?source=cve(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.