CVE-2024-5324
HIGH EXPLOITEDWordPress Login/Signup Popup <2.7.2 - Info Disclosure
Title source: llmDescription
Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
Exploits (1)
nomisec
WORKING POC
1 stars
by RandomRobbieBF · remote
https://github.com/RandomRobbieBF/CVE-2024-5324
References (7)
Scores
CVSS v3
8.8
EPSS
0.4373
EPSS Percentile
97.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2024-06-05
CWE
CWE-862
CWE-863
Status
published
Products (9)
xootix/Login & Register Customizer – Popup | Slider | Inline | WooCommerce
2.7.1 - 2.7.2
xootix/login\/signup_popup
2.7.1
xootix/login\/signup_popup
2.7.2
xootix/OTP Login & Register Woocommerce
< 2.6.1
xootix/otp_login_woocommerce_\&_gravity_forms
< 2.6.2
xootix/side_cart_woocommerce
2.5
xootix/Side Cart Woocommerce | Woocommerce Cart
2.5
xootix/waitlist_woocommerce
< 2.6.1
xootix/Waitlist Woocommerce ( Back in stock notifier )
< 2.6
Published
Jun 06, 2024
Tracked Since
Feb 18, 2026