CVE-2024-2538

MEDIUM

Permalink Manager Lite < 2.4.3.2 - Missing Authorization

Title source: rule

Description

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://gist.github.com/Xib3rR4dAr/b1eec00e844932c6f2f30a63024b404e

Patch

https://plugins.trac.wordpress.org/changeset/3052848#file35

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/70cd028d-122d-4e3c-ac09-150dec07a2cd?source=cve

Scores

CVSS v3 5.4

EPSS 0.0005

EPSS Percentile 15.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639 CWE-862

Status published

Products (2)

mbis/Permalink Manager Lite < 2.4.3.1

permalink_manager_lite_project/permalink_manager_lite < 2.4.3.2

Published Mar 20, 2024

Tracked Since Feb 18, 2026