Eyewear Prescription Form CVE-2024-54239
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in dugudlabs Eyewear prescription form eyewear-prescription-form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through <= 4.0.18.
AnalysisAI
Privilege escalation in the dugudlabs Eyewear Prescription Form WordPress plugin (versions up to and including 4.0.18) allows remote unauthenticated attackers to perform unauthorized actions by exploiting missing authorization checks. The CVSS 9.8 score with network attack vector and no privileges required indicates trivial exploitation against any WordPress site running this plugin, and the EPSS score of 3.05% (87th percentile) suggests elevated exploitation probability though no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in the Eyewear Prescription Form WordPress plugin by dugudlabs, which provides functionality for collecting eyewear prescription data on WordPress sites. CWE-862 (Missing Authorization) indicates that the plugin fails to verify whether a user has the required permissions before allowing access to privileged functionality or sensitive operations. In WordPress plugin contexts, this typically manifests as AJAX endpoints, REST API routes, or admin-post handlers that lack capability checks (current_user_can()) or nonce verification, allowing unauthenticated requests to invoke administrative functionality intended for higher-privileged users.
Affected ProductsAI
The dugudlabs Eyewear Prescription Form WordPress plugin (slug: eyewear-prescription-form) is affected in all versions from initial release through and including version 4.0.18. The vulnerability was reported by Patchstack (audit@patchstack.com), and additional details would typically be available via the Patchstack vulnerability database advisory for this CVE.
RemediationAI
No vendor-released patch identified at time of analysis based on the provided data - the description indicates the issue affects versions 'from n/a through <= 4.0.18' without naming a fixed release. Site administrators should immediately deactivate and remove the Eyewear Prescription Form plugin until a patched version higher than 4.0.18 is confirmed via the WordPress plugin repository or the Patchstack advisory. As compensating controls if removal is not feasible, restrict access to the plugin's AJAX and REST endpoints via web application firewall rules (Wordfence, Patchstack, or similar), block unauthenticated POST requests to wp-admin/admin-ajax.php actions associated with the plugin, and monitor for unexpected user role changes or new administrator accounts - note that WAF rules require knowledge of the specific vulnerable endpoint and may break legitimate plugin functionality.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today