GRÜN spendino CVE-2024-50476
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular spendino allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through <= 1.0.1.
AnalysisAI
Privilege escalation in GRÜN spendino Spendenformular plugin versions through 1.0.1 allows remote unauthenticated attackers to gain elevated privileges due to missing authorization checks. With a CVSS of 9.8 and EPSS at 24.70% (96th percentile), this represents a significant exploitation risk, though no public exploit identified at time of analysis. The flaw is tagged as both Authentication Bypass and Privilege Escalation, reported by Patchstack who specializes in WordPress plugin security.
Technical ContextAI
GRÜN spendino Spendenformular is a donation form plugin developed by GRÜN Software Group GmbH, typically deployed as a WordPress plugin for nonprofit fundraising websites. The vulnerability falls under CWE-862 (Missing Authorization), meaning the application fails to perform authorization checks before allowing access to sensitive functionality or resources. In WordPress plugin contexts, this commonly manifests as AJAX endpoints, REST API routes, or admin-post handlers that fail to verify the caller's role/capabilities, enabling lower-privileged or unauthenticated users to invoke privileged actions.
Affected ProductsAI
GRÜN spendino Spendenformular plugin (vendor: GRÜN Software Group GmbH) is affected from an unspecified initial version through and including version 1.0.1. No CPE strings were provided in the input data, and no vendor advisory URL was supplied in the references - the Patchstack advisory database (patchstack.com) is the originating intelligence source given the reporter audit@patchstack.com.
RemediationAI
No vendor-released patch identified at time of analysis based on the supplied data - affected versions extend through 1.0.1 with no fixed version specified. Site administrators should monitor the Patchstack advisory database and the GRÜN Software Group GmbH vendor channel for an updated release above 1.0.1. As compensating controls until a patch is published, deactivate the GRÜN spendino Spendenformular plugin entirely (trade-off: donation forms become unavailable), restrict access to the WordPress admin and AJAX endpoints (wp-admin/admin-ajax.php and the plugin's REST routes) via web application firewall rules or IP allowlisting, and deploy a virtual patch through a WAF service such as Patchstack or Wordfence that publishes mitigation rules for this CVE.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today