CVE-2024-12028
Friends <= 3.2.1 - Missing Authorization
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
06 dic 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Productos afectados
akirk · Friends¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3203812%40friends%2Ftrunk&old=3199284%40friends%2Ftrunk&sfp_email=&sfph_mail=https://wordpress.org/plugins/friends/#developershttps://www.wordfence.com/threat-intel/vulnerabilities/id/980b16d4-3c4a-4ed1-af46-f39f3ec6dd19?source=cve