CVE-2024-1370
First published: Wed Mar 13 2024(Updated: )
The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Themegrill Maintenance Page | <1.0.9 | |
| WordPress Maintenance | <=1.0.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-1370?
CVE-2024-1370 has a medium severity rating due to the potential for unauthorized data access.
How do I fix CVE-2024-1370?
To fix CVE-2024-1370, update the Maintenance Page plugin for WordPress to version 1.0.9 or higher.
Who is affected by CVE-2024-1370?
CVE-2024-1370 affects all versions of the Maintenance Page plugin for WordPress up to and including version 1.0.8.
What type of attack is possible with CVE-2024-1370?
CVE-2024-1370 allows authenticated attackers to access sensitive data due to a missing capability check.
What is the impacted functionality in CVE-2024-1370?
The vulnerability affects the subscribe_download function that is hooked via AJAX action.
- agent/references
- agent/description
- agent/author
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/severity
- agent/weakness
- agent/remedy
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup-request
- vendor/themegrill
- canonical/themegrill maintenance page
- vendor/wordpress
- canonical/wordpress maintenance