CVE-2024-2543

MEDIUM

Permalink Manager Lite < 2.4.3.2 - Missing Authorization

Title source: rule

Description

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of all posts.

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://gist.github.com/Xib3rR4dAr/a248426dfee107c6fda08e80f98fa894

Patch

https://plugins.trac.wordpress.org/changeset/3053899/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/74f6bf42-3406-47c5-b255-6cc1e8084fb5?source=cve

Scores

CVSS v3 4.3

EPSS 0.0037

EPSS Percentile 58.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639 CWE-862

Status published

Products (2)

mbis/Permalink Manager Lite < 2.4.3.1

permalink_manager_lite_project/permalink_manager_lite < 2.4.3.2

Published Apr 09, 2024

Tracked Since Feb 18, 2026