Skip to main content

Gamipress CVE-2024-2505

HIGH
2024-04-29 contact@wpscan.com
8.1
CVSS 3.1 · Vendor: wpscan
Share

Severity by source

Vendor (wpscan) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (wpscan) · only source for this CVE.

CVSS VectorVendor: wpscan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 29, 2024 - 06:15 cve.org
HIGH 8.1

DescriptionCVE.org

The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations.

AnalysisAI

The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations. Affected products include: Gamipress. Version information: before 6.8.9.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-13496 HIGH POC
7.5 Jan 22

The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is

CVE-2024-11036 CRITICAL
9.8 Nov 19

The The GamiPress - The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for Wo

CVE-2023-0154 MEDIUM POC
5.4 Feb 06

The GamiPress WordPress plugin before 1.0.9 does not validate and escape some of its shortcode attributes before outputt

CVE-2024-1799 HIGH
8.8 Mar 20

The GamiPress - The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPr

CVE-2026-48874 HIGH
8.5 Jun 15

SQL injection in the GamiPress WordPress plugin versions 7.8.7 and earlier allows authenticated users with subscriber-le

CVE-2024-2783 MEDIUM
6.4 Apr 09

The GamiPress - The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPr

CVE-2024-2460 MEDIUM
6.4 Mar 20

The GamiPress - Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gamipress_but

CVE-2023-25715 MEDIUM
5.4 Dec 19

Missing Authorization vulnerability in GamiPress GamiPress - The #1 gamification plugin to reward points, achievements,

CVE-2026-32420 MEDIUM
5.4 Mar 13

GamiPress versions 7.6.6 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability that allows unauthenticat

CVE-2026-24546 MEDIUM
5.3 May 25

Unauthenticated information disclosure in the GamiPress WordPress plugin (versions through 7.6.3) allows remote attacker

CVE-2024-30455 MEDIUM
4.3 Mar 29

Cross-Site Request Forgery (CSRF) vulnerability in GamiPress.8.5. Rated medium severity (CVSS 4.3), this vulnerability i

CVE-2024-13499 HIGH
7.3 Jan 22

The The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress

Share

CVE-2024-2505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy