CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in ignitionwp IgnitionDeck ignitiondeck allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IgnitionDeck: from n/a through <= 2.0.15.
AnalysisAI
Broken access control in IgnitionDeck WordPress plugin (versions ≤2.0.15) enables authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. The vulnerability requires low-privilege authentication but has low attack complexity (CVSS 8.8, AV:N/AC:L/PR:L), allowing compromise of confidentiality, integrity, and availability. EPSS probability is low (0.05%, 15th percentile), and no public exploit is identified at time of analysis, suggesting limited active targeting despite the high severity rating.
Technical ContextAI
IgnitionDeck is a WordPress crowdfunding platform plugin. This vulnerability stems from CWE-862 (Missing Authorization), a common web application flaw where security checks are absent or improperly implemented on critical functions. The plugin fails to validate whether authenticated users possess appropriate permissions before executing sensitive operations. In WordPress context, this typically manifests as missing capability checks (e.g., current_user_can()) on AJAX handlers, REST API endpoints, or admin functions. The misconfigured access control allows low-privilege users (subscriber, contributor roles) to invoke functionality intended for administrators or specific authorized roles, effectively escalating their privileges within the application scope.
Affected ProductsAI
The vulnerability affects IgnitionDeck, a WordPress plugin developed by ignitionwp for crowdfunding and fundraising campaigns. All versions through 2.0.15 are confirmed vulnerable. The issue was reported through Patchstack's security research team ([email protected]), which maintains vulnerability intelligence for WordPress ecosystem plugins. Organizations can identify affected installations by checking their WordPress plugin version against the ≤2.0.15 threshold. The vendor advisory and technical details are available at https://patchstack.com/database/Wordpress/Plugin/ignitiondeck/vulnerability/wordpress-ignitiondeck-plugin-2-0-10-broken-access-control-vulnerability.
RemediationAI
Upgrade IgnitionDeck to version 2.0.16 or later, which addresses the missing authorization checks. Site administrators should update through the WordPress dashboard (Plugins → Installed Plugins → IgnitionDeck → Update) or via WP-CLI using 'wp plugin update ignitiondeck'. As an interim workaround if patching is delayed, restrict user registration to prevent untrusted accounts from being created, audit existing low-privilege user accounts for legitimacy, and monitor WordPress access logs for suspicious activity from authenticated users accessing admin-level functionality. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ignitiondeck/vulnerability/wordpress-ignitiondeck-plugin-2-0-10-broken-access-control-vulnerability for additional context. No vendor-released workaround has been published beyond upgrading to the patched version.
Share
External POC / Exploit Code
Leaving vuln.today