CVE-2024-4410
MEDIUMIgnitionDeck Crowdfunding Platform <1.9.8 - Privilege Escalation
Title source: llmDescription
The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others.
References (4)
Core 4
Scores
CVSS v3
5.4
EPSS
0.0038
EPSS Percentile
29.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
ignitionwp/IgnitionDeck Crowdfunding Platform
< 1.9.8
Published
Jul 27, 2024
Tracked Since
Feb 18, 2026