Skip to main content

GRÜN spendino CVE-2024-50476

CRITICAL
Missing Authorization (CWE-862)
2024-10-29 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:22 NVD
9.8 (CRITICAL)
CVE Published
Oct 29, 2024 - 09:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular spendino allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through <= 1.0.1.

AnalysisAI

Privilege escalation in GRÜN spendino Spendenformular plugin versions through 1.0.1 allows remote unauthenticated attackers to gain elevated privileges due to missing authorization checks. With a CVSS of 9.8 and EPSS at 24.70% (96th percentile), this represents a significant exploitation risk, though no public exploit identified at time of analysis. The flaw is tagged as both Authentication Bypass and Privilege Escalation, reported by Patchstack who specializes in WordPress plugin security.

Technical ContextAI

GRÜN spendino Spendenformular is a donation form plugin developed by GRÜN Software Group GmbH, typically deployed as a WordPress plugin for nonprofit fundraising websites. The vulnerability falls under CWE-862 (Missing Authorization), meaning the application fails to perform authorization checks before allowing access to sensitive functionality or resources. In WordPress plugin contexts, this commonly manifests as AJAX endpoints, REST API routes, or admin-post handlers that fail to verify the caller's role/capabilities, enabling lower-privileged or unauthenticated users to invoke privileged actions.

Affected ProductsAI

GRÜN spendino Spendenformular plugin (vendor: GRÜN Software Group GmbH) is affected from an unspecified initial version through and including version 1.0.1. No CPE strings were provided in the input data, and no vendor advisory URL was supplied in the references - the Patchstack advisory database (patchstack.com) is the originating intelligence source given the reporter audit@patchstack.com.

RemediationAI

No vendor-released patch identified at time of analysis based on the supplied data - affected versions extend through 1.0.1 with no fixed version specified. Site administrators should monitor the Patchstack advisory database and the GRÜN Software Group GmbH vendor channel for an updated release above 1.0.1. As compensating controls until a patch is published, deactivate the GRÜN spendino Spendenformular plugin entirely (trade-off: donation forms become unavailable), restrict access to the WordPress admin and AJAX endpoints (wp-admin/admin-ajax.php and the plugin's REST routes) via web application firewall rules or IP allowlisting, and deploy a virtual patch through a WAF service such as Patchstack or Wordfence that publishes mitigation rules for this CVE.

Share

CVE-2024-50476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy