CVE-2021-24842 - The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allow

CVE-2021-24842

Summary

The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.

References

https://wpscan.com/vulnerability/054bd981-dbdd-47dd-bad0-fa327e5860a2
https://plugins.trac.wordpress.org/changeset/2618982

Vulnerable Configurations

cpe:2.3:a:bulk_datetime_change_project:bulk_datetime_change:*:*:*:*:*:wordpress:*:*
cpe:2.3:a:bulk_datetime_change_project:bulk_datetime_change:*:*:*:*:*:wordpress:*:*

CVSS

Base:	5.5 (as of 24-10-2022 - 16:33)
Impact:
Exploitability:

CWE

CWE-863

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:P/A:N

Last major update

24-10-2022 - 16:33

Published

29-11-2021 - 09:15

Last modified

24-10-2022 - 16:33