CVE-2024-13800

HIGH

ConvertPlus <= 3.5.30 - Authenticated Denial of Service via cp_dismiss_notice AJAX Endpoint

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-13800. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary The repository contains a functional proof-of-concept exploit for CVE-2024-13800, demonstrating a missing authorization vulnerability in the ConvertPlus WordPress plugin. The exploit allows authenticated attackers with Subscriber-level access to update specific option values via the 'cp_dismiss_notice' AJAX endpoint, potentially leading to denial of service or unauthorized configuration changes.

Description

The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint in all versions up to, and including, 3.5.30. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.

Exploits (1)

nomisec WORKING POC 1 stars

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2024-13800

View Code ZIP pw:eip

The repository contains a functional proof-of-concept exploit for CVE-2024-13800, demonstrating a missing authorization vulnerability in the ConvertPlus WordPress plugin. The exploit allows authenticated attackers with Subscriber-level access to update specific option values via the 'cp_dismiss_notice' AJAX endpoint, potentially leading to denial of service or unauthorized configuration changes.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ConvertPlus WordPress plugin <= 3.5.30

Auth required

Prerequisites: Authenticated WordPress user with Subscriber-level access or higher

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes

https://www.convertplug.com/plus/product/convertplug/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/580ae2da-76f2-42b3-a26c-62ad8d6d1686?source=cve

Scores

CVSS v3 8.1

EPSS 0.0043

EPSS Percentile 34.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

Brainstorm Force/ConvertPlus < 3.5.30

convertplug/convertplus < 3.5.31

Published Feb 12, 2025

Tracked Since Feb 18, 2026