CVE-2024-1385

HIGH

WP-Stateless - Google Cloud Storage <= 3.4.0 - Authenticated Arbitrary Option Update via Missing Capability Check

Title source: llm
STIX 2.1

Description

The WP-Stateless – Google Cloud Storage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the dismiss_notices() function in all versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to the current time, which may completely take a site offline.

Scores

CVSS v3 7.1
EPSS 0.0041
EPSS Percentile 32.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
udx/wp-stateless < 3.4.0
usability_dynamics/WP-Stateless – Google Cloud Storage < 3.4.0
Published Apr 06, 2024
Tracked Since Feb 18, 2026