Skip to main content

Eyewear Prescription Form CVE-2024-54239

CRITICAL
Missing Authorization (CWE-862)
2024-12-13 audit@patchstack.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:23 NVD
9.8 (CRITICAL)
CVE Published
Dec 13, 2024 - 15:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in dugudlabs Eyewear prescription form eyewear-prescription-form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through <= 4.0.18.

AnalysisAI

Privilege escalation in the dugudlabs Eyewear Prescription Form WordPress plugin (versions up to and including 4.0.18) allows remote unauthenticated attackers to perform unauthorized actions by exploiting missing authorization checks. The CVSS 9.8 score with network attack vector and no privileges required indicates trivial exploitation against any WordPress site running this plugin, and the EPSS score of 3.05% (87th percentile) suggests elevated exploitation probability though no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Eyewear Prescription Form WordPress plugin by dugudlabs, which provides functionality for collecting eyewear prescription data on WordPress sites. CWE-862 (Missing Authorization) indicates that the plugin fails to verify whether a user has the required permissions before allowing access to privileged functionality or sensitive operations. In WordPress plugin contexts, this typically manifests as AJAX endpoints, REST API routes, or admin-post handlers that lack capability checks (current_user_can()) or nonce verification, allowing unauthenticated requests to invoke administrative functionality intended for higher-privileged users.

Affected ProductsAI

The dugudlabs Eyewear Prescription Form WordPress plugin (slug: eyewear-prescription-form) is affected in all versions from initial release through and including version 4.0.18. The vulnerability was reported by Patchstack (audit@patchstack.com), and additional details would typically be available via the Patchstack vulnerability database advisory for this CVE.

RemediationAI

No vendor-released patch identified at time of analysis based on the provided data - the description indicates the issue affects versions 'from n/a through <= 4.0.18' without naming a fixed release. Site administrators should immediately deactivate and remove the Eyewear Prescription Form plugin until a patched version higher than 4.0.18 is confirmed via the WordPress plugin repository or the Patchstack advisory. As compensating controls if removal is not feasible, restrict access to the plugin's AJAX and REST endpoints via web application firewall rules (Wordfence, Patchstack, or similar), block unauthenticated POST requests to wp-admin/admin-ajax.php actions associated with the plugin, and monitor for unexpected user role changes or new administrator accounts - note that WAF rules require knowledge of the specific vulnerable endpoint and may break legitimate plugin functionality.

Share

CVE-2024-54239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy