一、 漏洞 CVE-2024-13752 基础信息
漏洞标题
WP Project Manager <= 2.6.17 - 经认证用户越权更新任意配置项漏洞
来源:AIGC 神龙大模型
漏洞描述信息
WordPress插件WP Project Manager – Task, team, and project management(版本2.6.17及之前版本)中的'/pm/v2/settings/notice'接口存在权限验证不足的问题,导致具有订阅者级别及以上权限的认证攻击者可以引发持久的拒绝服务条件,进而造成未经授权的数据丢失。
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
来源:AIGC 神龙大模型
漏洞类别
授权机制缺失
来源:AIGC 神龙大模型
漏洞标题
WP Project Manager <= 2.6.17 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
来源:美国国家漏洞数据库 NVD
漏洞描述信息
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
授权机制缺失
来源:美国国家漏洞数据库 NVD
二、漏洞 CVE-2024-13752 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2024-13752 的情报信息

  • 标题: WP Project Manager <= 2.6.17 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update -- 🔗来源链接

    标签:

    WP Project Manager <= 2.6.17 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update

  • 标题: Upgrade_2_0.php in wedevs-project-manager/trunk/core/Upgrades – WordPress Plugin Repository -- 🔗来源链接

    标签:

    Upgrade_2_0.php in wedevs-project-manager/trunk/core/Upgrades – WordPress Plugin Repository

  • 标题: Upgrade_2_3.php in wedevs-project-manager/trunk/core/Upgrades – WordPress Plugin Repository -- 🔗来源链接

    标签:

    Upgrade_2_3.php in wedevs-project-manager/trunk/core/Upgrades – WordPress Plugin Repository

  • 标题: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts – WordPress plugin | WordPress.org -- 🔗来源链接

    标签:

    WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts – WordPress plugin | WordPress.org

  • 标题: Changeset 3239348 – WordPress Plugin Repository -- 🔗来源链接

    标签:

    Changeset 3239348 – WordPress Plugin Repository

  • 标题: Error: No such node – WordPress Plugin Repository -- 🔗来源链接

    标签:

    Error: No such node – WordPress Plugin Repository

  • 标题: Diff [3213295:3240806] for wedevs-project-manager/trunk/routes/settings.php – WordPress Plugin Repository -- 🔗来源链接

    标签:

    Diff [3213295:3240806] for wedevs-project-manager/trunk/routes/settings.php – WordPress Plugin Repository
  • https://nvd.nist.gov/vuln/detail/CVE-2024-13752