CVE-2024-4410

MEDIUM

IgnitionDeck Crowdfunding Platform <1.9.8 - Privilege Escalation

Title source: llm
STIX 2.1

Description

The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others.

Scores

CVSS v3 5.4
EPSS 0.0038
EPSS Percentile 29.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
ignitionwp/IgnitionDeck Crowdfunding Platform < 1.9.8
Published Jul 27, 2024
Tracked Since Feb 18, 2026